Apache Tomcat Vulnerability Exploited

THE THREAT

On March 17th, 2025, security researchers confirmed that threat actors are now exploiting the recently disclosed Apache Tomcat vulnerability CVE-2025-24813. This vulnerability was publicly disclosed on March 10th, and the earliest signs of exploitation have been traced back to March 12th. Proof-of-Concept (PoC) exploit code is available, simplifying the attack process for less skilled threat actors.

CVE-2025-24813 is described as a path equivalence vulnerability. Exploitation may allow threat actors to add malicious content to uploaded files, cause information disclosure, and achieve Remote Code Execution (RCE). The vulnerability may be exploited without any prior access or authentication.

As exploitation has been confirmed, organizations are strongly encouraged to update all Apache Tomcat servers to a secure version immediately.

What we’re doing about it

• eSentire MDR for Network has rules in place to identify exploitation attempts
• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
• The eSentire Threat Response Unit is actively tracking this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches immediately
  • Upgrade to version 11.0.3, 10.1.35, or 9.0.98
• Ensure server hardening of Apache Tomcat Servers
  • Prevent incomplete or unauthorized file uploads by disabling partial PUT support
  • Configure the default servlet write access to read only (readonly= "true")
  • Set the session persistence directory to a secure, custom folder instead of using the default storage location

Additional information

Apache Tomcat is a popular open-source Java web application server. Internet scanning services, such as Shodan, report nearly 100,000 Internet-facing Apache Tomcat servers; this number does not specifically reflect vulnerable servers.

The real-world exploitation of CVE-2025-24813 to perform Remote Code Execution (RCE) was first identified by Wallarm researchers, prior to the public disclosure of the Proof-of-Concept (PoC) exploit code. Threat actors are now reportedly leveraging the PoC exploit code to gain complete access to the vulnerable Apache servers.

The attack occurs in two stages, ultimately granting the attacker full remote access. Initially, the attackers send a PUT request uploading Base-64 encoded malicious serialized session file to the server. The file gets automatically written to the server’s session storage directory, thereby storing the payload onto the disk. The next stage of the attack involves triggering deserialization of the session. The attacker sends a GET request with the JSESSIONID addressing the malicious session. In response to which the server retrieves the file from the disk causing deserialization and execution of malicious JavaScript (JS) embedded into it, subsequently granting remote access to the attacker.

Wallarm emphasizes that the vulnerability can be easily exploited without the need for any form of authentication. The Base-64 encoded payloads would make it difficult for security tools such Web Application Firewalls (WAFs) to detect malicious PUT requests. The exploitation of CVE-2025-24813 in the wild, within 30 hours of disclosure of the PoC exploit code makes rapidly addressing the vulnerability critical. Ivan Novikov, Wallarm's CEO has stated that exploitation is being carried out by “Chinese operators”, and that the vulnerability will be added to CISA’s Known Exploited Vulnerabilities catalog in the near future.

It should be noted that successful exploitation requires specific configurations are enabled on a vulnerable server. To achieve information disclosure and the addition of malicious content, the following requirements must be met:

• Writes enabled for the default servlet (non-default)
• Support for partial PUT (enabled by default)
• A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• Attacker knowledge of the names of security sensitive files being uploaded
• The security sensitive files also being uploaded via partial PUT

In order for exploitation to result in Remote Code Execution, there are additional requirements:

• Writes enabled for the default servlet (non-default)
• Support for partial PUT (enabled by default)
• Application is using Tomcat's file-based session persistence with the default storage location
• Application included a library that may be leveraged in a deserialization attack

Impacted Versions list:

• Apache Tomcat 11.0.0-M1 to 11.0.2
• Apache Tomcat 10.1.0-M1 to 10.1.34
• Apache Tomcat 9.0.0.M1 to 9.0.98

References:

[1] https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-24813
[3] https://www.shodan.io/search?query=server%3A+apache+tomcat
[4] https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/