In March 2025, Apache disclosed CVE-2025-24813, a vulnerability impacting Apache Tomcat. This is a widely used platform that allows Apache web servers to run Java-based web applications.
The flaw allows remote code execution, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34 and 11.0.0-M1 to 11.0.2. The same month, Apache revealed two additional vulnerabilities in Apache Camel, a message routing middleware framework. These vulnerabilities are CVE-2025-27636 and CVE-2025-29891, two flaws that allow remote code execution, affecting Apache Camel versions 4.10.0 to 4.10.1, 4.8.0 to 4.8.4 and 3.10.0 to 3.22.3. These vulnerabilities are significant because millions of developers rely on the platform provided by the Apache Foundation.
Read more…
Source: Palo Alto Unit 42
Sign up for the Cyber Security Review Newsletter
The latest news and insights delivered right to your inbox.
Related:
- Google Project Zero: ‘Here’s the secret to flagging up bugs before hackers find them’
August 3, 2018
Samsung’s utterly confusing vulnerability reporting website has prompted one of Google’s top security researchers to explain how companies should help researchers report bugs and eliminate hackable flaws in products quickly. Google’s Project Zero bug hunter, Natalie Silvanovich, who Microsoft has recognized as a top 10 researcher in the world, has a few tips for vendors of all types ...
- Poor cybersecurity could destabilise increasingly complex energy grids
July 26, 2018
The future of smart energy grids, with automatic management of both supply and demand, is “looking really interesting”, says Phil Kernick, chief technology officer at security firm CQR Consulting. But the current state of the technology and its security is a problem. “The distribution systems and the generation systems were deployed a decade and a half ...
- NetSpectre — New Remote Spectre Attack Steals Data Over the Network
July 26, 2018
A team of security researchers has discovered a new Spectre attack that can be launched over the network, unlike all other Spectre variants that require some form of local code execution on the target system. Dubbed “NetSpectre,” the new remote side-channel attack, which is related to Spectre variant 1, abuses speculative execution to perform bounds-check bypass ...
- Massive Malspam Campaign Finds a New Vector for FlawedAmmyy RAT
July 20, 2018
A widespread spam campaign from the well-known financial criminal group TA505 is spreading the FlawedAmmyy RAT using a brand-new vector: Weaponized PDFs containing malicious SettingContent-ms files. The SettingContent-ms file format was introduced in Windows 10; it allows a user to create “shortcuts” to various Windows 10 setting pages. “All this file does is open the Control Panel ...
- DDoS Attacks Get Bigger, Smarter and More Diverse
July 17, 2018
DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses. Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being ...
- Investigation reveals elaborate technology terror web
July 16, 2018
In late December 2015 a uniformed Pentagon spokesman, Colonel Steve Warren, made a video announcement about “Operation Inherent Resolve”, the US military’s campaign against the so-called Islamic State (IS) group in Iraq and Syria. The spokesman gave details about 10 senior IS figures who had been targeted and killed, many in drone strikes, over the course ...

