Pierluigi Paganini
April 02, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apache Tomcat path equivalence vulnerability, tracked as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog.
The Apache Tomcat vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30 hours after a public PoC was released.
The issue is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met. The vulnerability affects multiple versions including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Exploitation requires write-enabled default servlet, partial PUT support, and specific file handling conditions.
“The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by “.”.” reads the advisory.
“If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
If all of the following were true, a malicious user was able to perform remote code execution:
Tomcat versions 9.0.99, 10.1.35, and 11.0 addressed the vulnerability.
Wallarm researchers confirmed active exploitation of the flaw and added that attackers can hijack Apache Tomcat servers with a single PUT API request. PoC is online.
“A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. ” reads the advisory published by Wallarm. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857.”
The attack exploits Tomcat’s session persistence and partial PUT requests by uploading a malicious Java session file and triggering deserialization via a GET request.
The attack involves two steps:
“This attack is dead simple to execute and requires no authentication. The only requirement is that Tomcat is using file-based session storage, which is common in many deployments.” concludes the advisory. “Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”
Wallarm researchers warn that most Web Application Firewalls (WAFs) fail to detect this attack because the PUT request appears normal and lacks obvious malicious content. The payload is base64-encoded, evading pattern-based detection, and the attack occurs in two steps, with execution happening only during deserialization. Additionally, most WAFs do not thoroughly inspect uploaded files or track multi-step exploits. As a result, by the time organizations notice the breach in their logs, it is already too late.
Users are recommended to update their affected Tomcat versions immediately to mitigate potential threats.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
CISA orders federal agencies to fix this vulnerability by April 22, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
