A newly disclosed security flaw in Apache Tomcat is being actively exploited in the wild, with attackers taking advantage of a publicly available proof-of-concept (PoC) just 30 hours after its disclosure.
Critical Apache Tomcat Vulnerability (CVE-2025-24813)
The vulnerability, tracked as CVE-2025-24813, affects multiple versions of Apache Tomcat, specifically:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
This security flaw could lead to remote code execution (RCE) or information disclosure when specific conditions are met, including:
- Writes enabled for the default servlet (disabled by default)
- Partial PUT support enabled (enabled by default)
- A security-sensitive upload target within a public upload directory
- Attackers knowing the names of sensitive files being uploaded
- Sensitive files uploaded via partial PUT requests
How Attackers Exploit CVE-2025-24813
Successful exploitation could allow an attacker to view sensitive files or inject malicious content into them via a PUT request. More critically, attackers could achieve remote code execution under these additional conditions:
- Writes enabled for the default servlet
- Partial PUT support enabled
- Application using Tomcat’s file-based session persistence (default location)
- Application includes a vulnerable library that allows deserialization attacks
Tomcat Exploitation in the Wild
Despite a fix being issued in Tomcat versions 9.0.99, 10.1.35, and 11.0.3, attackers have already started exploiting the flaw, according to cybersecurity firm Wallarm.
How the Exploit Works:
- The attacker uploads a serialized Java session file via a PUT request.
- The attacker triggers deserialization by referencing the malicious session ID in a GET request.
The exploit relies on sending a Base64-encoded serialized Java payload, which gets stored in Tomcat’s session storage directory. When the attacker sends a GET request with the JSESSIONID pointing to this payload, it executes malicious code.
No Authentication Required – A Major Concern
Wallarm warns that this vulnerability is trivial to exploit and requires no authentication. The only requirement is that Tomcat uses file-based session storage.
“While this exploit abuses session storage, the bigger issue is partial PUT handling in Tomcat, which allows attackers to upload almost any file anywhere,” Wallarm added. “Hackers will soon modify their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors beyond session storage.”
Mitigation: Update Tomcat Immediately
Users running affected versions of Apache Tomcat should immediately update to the patched versions to prevent potential attacks. Upgrading to Tomcat 9.0.99, 10.1.35, or 11.0.3 is crucial for securing applications against this rapidly evolving threat.
The rapid exploitation of CVE-2025-24813 highlights the urgency of applying security patches as soon as they become available. Given the simplicity of the attack and its potential for remote code execution, organizations using vulnerable Tomcat versions must act fast to mitigate the risk and prevent unauthorized access or system compromise.
For more security updates, click here.
