A recently uncovered security vulnerability in Apache Tomcat has begun to see active exploitation shortly after its disclosure. The flaw, designated as CVE-2025-24813, was made publicly available along with a proof-of-concept (PoC) within just 30 hours of its initial announcement.
This vulnerability impacts several versions of Apache Tomcat, including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98. The primary concern lies in the potential for remote code execution or unauthorized information disclosure under specific conditions. These conditions include having write permissions for the default servlet, support for partial PUT requests, and a target URL that allows security-sensitive files to be uploaded in a vulnerable manner.
Exploitation may occur if an attacker is aware of the names of sensitive files, utilizes partial PUT requests to upload these files, and the Tomcat instance is configured in a way that facilitates such actions. Notably, successful exploitation could enable attackers to view sensitive data or inject content into uploaded files through a PUT request.
The situation escalates further as remote code execution (RCE) can also be achieved if the default servlet allows writes, partial PUT is enabled, the application employs Tomcat’s default session storage, and it utilizes a library that could be exploited via deserialization. An advisory issued by the project maintainers announced that the vulnerability had been patched in versions 9.0.99, 10.1.35, and 11.0.3.
Despite these patches, exploitation attempts have already been observed. Notably, Wallarm, a cybersecurity firm, indicated that the exploit takes advantage of Tomcat’s session persistence mechanism and the use of partial PUT requests. Attackers first upload a serialized Java session file through a PUT request and then trigger the exploit by referencing a malicious session ID in a GET request. This effectively leads to the execution of malicious code upon deserialization.
Wallarm highlighted that the exploitation process is relatively straightforward and does not require authentication, solely relying on the use of file-based session storage in Tomcat. Beyond session storage, the more significant concern is the vulnerable handling of partial PUT requests, which permits virtually unrestricted file uploads. This could prompt attackers to adopt more sophisticated tactics, including uploading harmful JSP files and modifying configurations to establish backdoors.
Organizations operating affected versions of Tomcat are strongly encouraged to update their systems promptly to mitigate these threats. Recent reports from GreyNoise reveal that multiple IP addresses from various countries, including China, Germany, Italy, Latvia, and the United States, have attempted to exploit this vulnerability. The majority of these attempts have concentrated on systems in the United States, Japan, India, South Korea, and Mexico, particularly affecting U.S.-based systems.
Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has classified this vulnerability as a Known Exploited Vulnerability (KEV), mandating that federal agencies apply necessary patches by April 22, 2025.
