Apache Tomcat CVE-2025-24813: Understanding and Mitigating the Remote Code Execution Threat

Introduction:

A serious vulnerability, identified as CVE-2025-24813, has been disclosed in Apache Tomcat, a widely used web server software. This unauthenticated remote code execution (RCE) flaw within Tomcat’s partial PUT feature could, under specific circumstances, allow attackers to execute code remotely on target systems. While initial reports suggested broad exploitation, further analysis indicates that successful exploitation requires specific, non-default, and uncommon configurations. However, with public proof-of-concept (PoC) exploit code now available, it’s crucial for organisations using affected versions to understand the risk and take appropriate action.

What is CVE-2025-24813?

CVE-2025-24813 is an unauthenticated Remote Code Execution (RCE) vulnerability that stems from how Apache Tomcat handles PUT and GET requests in conjunction with its partial PUT feature. The vulnerability, which carries a CVSS score of 5.5 according to SOCRadar and a CRITICAL base score of 9.8 according to NIST, could also lead to information disclosure and/or the addition of malicious content to uploaded files.

The root cause lies in a path equivalence issue (‘file.Name’ – Internal Dot) within the write-enabled Default Servlet. This can be leveraged in combination with partial PUT support

How the Exploit Works:

According to researchers at Wallarm, the attack sequence involves a two-step process:

1. Uploading a malicious session file: An attacker sends a PUT request containing a base64-encoded serialized Java payload. This payload is then stored in Tomcat’s session storage
2. Triggering execution: A subsequent GET request is sent, including a JSESSIONID cookie that references the previously uploaded malicious session file. This action forces Tomcat to deserialize and execute the malicious Java code, potentially granting the attacker full control over the server

It’s worth noting that many Web Application Firewalls (WAFs) may struggle to detect this exploitation due to the legitimate nature of PUT requests, the obfuscation of the payload through base64 encoding,and the multi-step execution process

Conditions for Successful Exploitation:

The sources highlight specific conditions that must be met for successful exploitation.

For Viewing/Injecting Content into Security Sensitive Files

• Writes enabled for the default servlet: This is disabled by default
• Support for partial PUT: This is enabled by default
• A target URL for security-sensitive uploads being a sub-directory of a target URL for public uploads. (Rapid7 and other researchers found this to be unnecessary for exploitation)
• Attacker knowledge of the names of security-sensitive files being uploaded. (Rapid7 and other researchers found this to be unnecessary for exploitation)
• The security-sensitive files also being uploaded via partial PUT. (Rapid7 and other researchers found this to be unnecessary for exploitation)

For Remote Code Execution:

• Writes enabled for the default servlet: This is disabled by default
• Support for partial PUT: This is enabled by default
• The application is using Tomcat’s file-based session persistence with the default storage location: This is disabled by default
• The application includes a library that may be leveraged in a deserialization attack: This is common in many Java applications

Rapid7’s analysis suggests that the exploitable configuration for RCE is relatively uncommon, with a GitHub code search finding only a small number of open-source Tomcat projects publicly using write-enabled default servlet configurations

Real-World Exploitation and Impact:

While news headlines have alleged broad exploitation, Rapid7 has been unable to confirm any successful exploitation against real-world production environments. SOCRadar reported the first known attack in Poland on March 12, even before a public PoC was available. Public PoC exploits have since surfaced on GitHub.

Red Hat has rated this vulnerability as high severity with a score of 8.6. Successful exploitation could allow attackers to:

• Deploy malicious JSP files for persistent access.
• Modify Tomcat configurations to escalate privileges.
• Plant backdoors outside session storage for long-term control.

Researchers caution that this could be the initial phase of attacks, with future exploits potentially focusing on uploading rogue JSP files and establishing persistent access

Affected Apache Tomcat Versions

• Apache Tomcat 11.0.0-M1 to 11.0.2
• Apache Tomcat 10.1.0-M1 to 10.1.34
• Apache Tomcat 9.0.0.M1 to 9.0.98

Mitigation and Patching

The recommended course of action is to upgrade to the following fixed versions as soon as possible:

• Apache Tomcat 11.0.3 or later
• Apache Tomcat 10.1.35 or later
• Apache Tomcat 9.0.99 or later

Organisations should review their Tomcat configurations to determine their specific risk, even if they intend to upgrade. Pay close attention to whether the default servlet has write access enabled and if file-based session persistence is in use with the default storage location.

Conclusion

While the conditions for successful exploitation of CVE-2025-24813 appear to be specific and not enabled by default, the availability of public PoC code and reports of in-the-wild attempts underscore the importance of taking this vulnerability seriously. Upgrading to the latest fixed versions of Apache Tomcat is the most effective way to mitigate this risk. Organisations should also review their configurations to understand their potential exposure and implement broader security best practices.

More info:

• https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/
• https://nvd.nist.gov/vuln/detail/CVE-2025-24813
• https://access.redhat.com/security/cve/cve-2025-24813
• https://github.com/absholi7ly/POC-CVE-2025-24813