Speed with Precision: Early and Accurate Response to Apache Camel CVEs
In March 2025, two vulnerabilities in Apache Camel surfaced — CVE-2025-27636 and CVE-2025-29891. Although many vendors scrambled to respond (and took several days to do so), Akamai was several steps ahead. We were not only the first to protect against both CVEs, but our collaboration with Citi Cyber Security Operations also led to the discovery and reporting of the second exploitation vector.
We sometimes take a response like this for granted — it’s just a day in the life of the Akamai Security Intelligence Group (SIG). But when we stop and reflect on it, we believe this achievement is exactly what makes Akamai unique: our proximity to customers and our security researchers who don’t just monitor threats, but who work hand-in-hand with users to find them and fight back.
A small but mighty threat: Discovery through collaboration
We deployed an Adaptive Security Engine Rapid Rule in Akamai App & API Protector for CVE-2025-27636 on March 7, 2025 — two days before the public CVE release on March 9. We beat the public release because of the incredible visibility of our platform: We observed attacks exploiting this vulnerability, partnered with the target customer’s security team, and built an accurate protection.
Close collaboration between the Akamai SIG and Citi Cyber Security Operations led to their discovery and our validation and reporting of a bypass to this new protection. A case-sensitivity flaw in Apache Camel’s header filtering mechanism allowed attackers to evade protections by exploiting mixed-case parameter names — a subtle yet critical oversight in the original fix.
This collaborative work and our report to Apache Security prompted the creation of CVE-2025-29891 on March 12, 2025. At the time, there was no public evidence that other providers had protections in place for the second CVE. This isn’t a coincidence; it’s the outcome of a model that prioritizes embedded security partnerships. It’s also the result of having a threat research team that doesn’t clock out — they dig in.
How much faster does Akamai protect our customers against threats like these Apache Camel CVEs? In this instance, Akamai customers had vastly more lead time for mitigation than customers of other cybersecurity vendors. The table compares Akamai’s response times with those of another popular cybersecurity vendor.
Akamai |
Other vendor |
Difference in response time |
|
|---|---|---|---|
Apache Camel: CVE-2025–27636 |
March 7, 2025 |
March 11, 2025 |
4 days |
Apache Camel bypass: CVE-2025-29891 |
March 12, 2025 |
April 2, 2025 |
21 days |
Table: Response times to CVE-2025-27636 and CVE-2025-29891: Akamai vs. another popular cybersecurity vendor
Rapid Rules: Speed built with precision
When threats emerge, time matters. But so does accuracy. How does Akamai achieve both? Rapid Rules. Akamai’s Rapid Rules capability — the intersection of the technical prowess and hard-working dedication of our threat researchers with App & API Protector’s cutting-edge technology — allows us to deliver near-real-time protections without sacrificing precision.
Rapid Rules have been designed to empower Akamai’s SIG to release security updates in three hours for high-profile vulnerability and threats. In March 2025 alone, in addition to the Apache Camel vulnerabilities, we released protections for three other security issues that block request smuggling attacks and exploitations of an Apache Tomcat vulnerability and a Next.js vulnerability.
To achieve such swift response times, Akamai developed a dedicated infrastructure to support Rapid Rules releases, automated rule development, and a reliable testing framework against shadow customer traffic and process optimizations. In addition, we implemented extensive safety controls that allow us to quickly release rules, rapidly address unwanted behavior, and update the detection logic in a version-controlled manner as an attack evolves.
Furthermore, Rapid Rules enable customers to have a flexible mitigation strategy. This enables an organization to use auto-updates for high-profile threats while maintaining manual control for standard protections. This dual approach allows for robust security without disrupting existing operational workflows.
Trust matters. Precision matters more.
Let’s continue our comparison of what happened elsewhere in the industry after the creation of CVE-2025-27636 and CVE-2025-29891. On April 1, the popular cybersecurity vendor updated their system status with an incident report about instability from web application firewall (WAF) false positives tied to what appeared to be an overly broad patch for the Apache Camel bypass (CVE-2025-29891), which in turn led to the denial of legitimate traffic.
By April 2, this vendor's change log showed they deployed a new update to address the bypass.
Deploying protections is important, but so is being precise; failing to be precise can result in other, unintended customer impacts, such as operational disruption, legal fallout, and public relations damage. At Akamai, we believe you shouldn’t have to choose. Our customers expect both — and that’s what we deliver. Quick, precise protection.
Akamai’s speed and precision earns customer trust
Akamai's rapid deployment of protection for Apache Camel vulnerabilities exemplifies our ability to act with both speed and precision — core reasons why customers consistently place their trust in us.
When threats emerge, attackers don’t wait, and neither do we. Backed by our Adaptive Security Engine and Rapid Rules, Akamai can swiftly detect and mitigate novel threats, providing zero-touch updates and using a threat intelligence ecosystem built from one of the largest global networks.
This agility is precisely what Forrester says about Akamai in the latest The Forrester Wave: Web Application Firewall Solutions report: “reference customers loved Akamai’s detection capabilities and appreciated how easy it is to automate functionality.”
As further validation, Akamai has been named a Customers’ Choice for Cloud WAAP by Gartner, an honor we’ve held for five consecutive years. It’s that trusted combination of fast-acting innovation and consistent protection that makes Akamai the vendor that organizations depend on when seconds matter.
The takeaway
The Apache Camel vulnerabilities are a textbook case in modern security response: real-time collaboration, zero-day discovery, and precision-driven rule deployment. This is what happens when a security vendor is embedded into your workflows — not just reacting to the threat landscape, but helping shape it.
At Akamai, we power and protect life online. When it matters most, our customers know who to call.
Get started
Ready to compare WAF security? Start with our strategic guide, The Ultimate WAF Evaluation Checklist.
Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.
GARTNER is a registered trademark and service mark, and PEER INSIGHTS is a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
Please note that this report was previously known as Gartner Peer Insights ‘Voice of the Customer’: Web Application and API Protection in 2022 , as Gartner Peer Insights ‘Voice of the Customer’: Web Application Firewalls in 2021 and as Gartner Peer Insights ‘Voice of the Customer’: Web Application Firewalls in 2020.