Critical Apache Tomcat Vulnerability (CVE-2025-24813) Exploited in the Wild: What You Need to Know

By /

Listen to this Post

A critical security flaw in Apache Tomcat has been discovered and is already being actively exploited. The vulnerability, tracked as CVE-2025-24813, was publicly disclosed recently, and just 30 hours later, a public proof-of-concept (PoC) made it possible for attackers to launch targeted attacks. This flaw, which affects specific versions of Apache Tomcat, could result in remote code execution or exposure of sensitive information. Here’s an in-depth look at what this vulnerability means and how you can protect your systems.

the Apache Tomcat Vulnerability

Apache Tomcat, a popular open-source application server, has recently been affected by a severe vulnerability (CVE-2025-24813), which has already led to active exploitation attempts. The flaw impacts specific versions of Tomcat, including:

– Apache Tomcat 11.0.0-M1 to 11.0.2

– Apache Tomcat 10.1.0-M1 to 10.1.34

– Apache Tomcat 9.0.0-M1 to 9.0.98

The vulnerability stems from improper handling of PUT requests and a flawed default servlet configuration, which could lead to remote code execution or information disclosure. For an attacker to exploit the flaw, several conditions need to be met:

  1. The “writes” option must be enabled for the default servlet (although this is disabled by default).
  2. Partial PUT support must be enabled (which is enabled by default).
  3. A target URL for sensitive uploads must be a sub-directory of a publicly accessible URL for uploads.
  4. The attacker must know the names of sensitive files being uploaded.
  5. The sensitive files must be uploaded using a partial PUT request.

Once these conditions are met, attackers can view sensitive files or inject arbitrary content into these files through a PUT request. In more severe cases, remote code execution could be achieved if the application is using file-based session persistence and includes a vulnerable library that can be exploited via deserialization.

While the Apache Tomcat team has already patched the issue in versions 9.0.99, 10.1.35, and 11.0.3, the vulnerability is already being exploited by attackers in the wild. Wallarm, a cybersecurity company, has reported that the exploit works in two steps: first, an attacker uploads a serialized Java session file via a PUT request, and then triggers deserialization by referencing the malicious session ID in a GET request.

Notably, this vulnerability requires no authentication to exploit, making it relatively easy for attackers to target affected systems. The flaw primarily abuses session storage, but the larger concern is Tomcat’s handling of partial PUT requests, which could allow attackers to upload files anywhere, including malicious JSP files, configuration modifications, and backdoors.

What Undercode Says:

This vulnerability in Apache Tomcat is a significant concern, especially given the speed with which attackers have already begun exploiting it. The fact that the PoC for this vulnerability was released only 30 hours after its public disclosure shows just how quickly threat actors can capitalize on such flaws. What’s even more concerning is the ease with which this vulnerability can be exploited, as it requires no authentication, making it a low-barrier attack vector.

The biggest issue here

Another troubling aspect is that this vulnerability is not confined to a single version of Apache Tomcat but affects multiple versions across different release lines (9.x, 10.x, and 11.x). This broad impact makes the vulnerability a widespread threat that administrators need to address urgently.

One key takeaway from this situation is that systems with file-based session persistence are at a higher risk, particularly if they use outdated versions of Tomcat. Administrators should upgrade to the latest patched versions (9.0.99, 10.1.35, or 11.0.3) as soon as possible to mitigate the threat.

Lastly, the fact that this vulnerability was discovered so quickly by attackers highlights the importance of timely patching and the need for strong monitoring to detect unusual activity. With the current exploitation already underway, it is clear that the window for defending against this attack is rapidly closing. The best defense now is proactive patch management and ensuring that all affected systems are updated without delay.

Fact Checker Results:

  • The flaw (CVE-2025-24813) is actively being exploited and poses a significant risk to unpatched systems.
  • This vulnerability is not difficult to exploit, requiring no authentication and only a few specific configuration settings.
  • Apache Tomcat versions 9.0.99, 10.1.35, and 11.0.3 have been patched to address this issue.

References:

Reported By: https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: