Pierluigi Paganini March 17, 2025

Threat actors began exploiting a recently disclosed Apache Tomcat vulnerability immediately after the release of a PoC exploit code.

A newly disclosed Apache Tomcat vulnerability, tracked as CVE-2025-24813, is being actively exploited just 30 hours after a public PoC was released.

The issue is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met. The vulnerability affects multiple versions including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Exploitation requires write-enabled default servlet, partial PUT support, and specific file handling conditions.

“The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by “.”.” reads the advisory.

“If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat’s file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack”

Tomcat versions 9.0.99, 10.1.35, and 11.0 addressed the vulnerability.

Wallarm researchers confirmed active exploitation of the flaw and added that attackers can hijack Apache Tomcat servers with a single PUT API request. PoC is online.

“A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. ” reads the advisory published by Wallarm. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857.”

The attack exploits Tomcat’s session persistence and partial PUT requests by uploading a malicious Java session file and triggering deserialization via a GET request.

The attack involves two steps:

1. Uploading a Malicious Serialized Session – The attacker sends a PUT request containing a base64-encoded ysoserial gadget chain, storing it in Tomcat’s session directory.
2. Triggering Execution via Session Cookie – A GET request with the JSESSIONID referencing the malicious session forces Tomcat to deserialize and execute the payload, granting remote access.

“This attack is dead simple to execute and requires no authentication. The only requirement is that Tomcat is using file-based session storage, which is common in many deployments.” concludes the advisory. “Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”

Wallarm researchers warn that most Web Application Firewalls (WAFs) fail to detect this attack because the PUT request appears normal and lacks obvious malicious content. The payload is base64-encoded, evading pattern-based detection, and the attack occurs in two steps, with execution happening only during deserialization. Additionally, most WAFs do not thoroughly inspect uploaded files or track multi-step exploits. As a result, by the time organizations notice the breach in their logs, it is already too late.

Users are recommended to update their affected Tomcat versions immediately to mitigate potential threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Apache Tomcat)