Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us →

Leadership →

Careers →

Event Calendar →

Newsroom →

Aston Villa Football Club →

EVENT CALENDAR

Apr

Cybersecurity Summit Boston

Apr

Cybersecurity Summit Chicago

Apr

FutureCon Minneapolis

Apr

April TRU Intelligence Briefing

Apr

Elevate IT Technology Summit Tampa

View Calendar →

LATEST PRESS RELEASE

Mar 06, 2025

eSentire Unleashes AI-Driven Atlas Nexus Network, Empowering Cybersecurity Partners to Build Differentiated Security Services at Scale

View Newsroom →

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On March 17th, 2025, security researchers confirmed that threat actors are now exploiting the recently disclosed Apache Tomcat vulnerability CVE-2025-24813. This vulnerability was publicly disclosed on March 10th, and the earliest signs of exploitation have been traced back to March 12th. Proof-of-Concept (PoC) exploit code is available, simplifying the attack process for less skilled threat actors.

CVE-2025-24813 is described as a path equivalence vulnerability. Exploitation may allow threat actors to add malicious content to uploaded files, cause information disclosure, and achieve Remote Code Execution (RCE). The vulnerability may be exploited without any prior access or authentication.

As exploitation has been confirmed, organizations are strongly encouraged to update all Apache Tomcat servers to a secure version immediately.

What we’re doing about it

eSentire MDR for Network has rules in place to identify exploitation attempts
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
The eSentire Threat Response Unit is actively tracking this topic for additional details and detection opportunities

What you should do about it

After performing a business impact review, apply the relevant security patches immediately
- Upgrade to version 11.0.3, 10.1.35, or 9.0.98
Ensure server hardening of Apache Tomcat Servers
- Prevent incomplete or unauthorized file uploads by disabling partial PUT support
- Configure the default servlet write access to read only (readonly= "true")
- Set the session persistence directory to a secure, custom folder instead of using the default storage location

Additional information

Apache Tomcat is a popular open-source Java web application server. Internet scanning services, such as Shodan, report nearly 100,000 Internet-facing Apache Tomcat servers; this number does not specifically reflect vulnerable servers.

The real-world exploitation of CVE-2025-24813 to perform Remote Code Execution (RCE) was first identified by Wallarm researchers, prior to the public disclosure of the Proof-of-Concept (PoC) exploit code. Threat actors are now reportedly leveraging the PoC exploit code to gain complete access to the vulnerable Apache servers.

The attack occurs in two stages, ultimately granting the attacker full remote access. Initially, the attackers send a PUT request uploading Base-64 encoded malicious serialized session file to the server. The file gets automatically written to the server’s session storage directory, thereby storing the payload onto the disk. The next stage of the attack involves triggering deserialization of the session. The attacker sends a GET request with the JSESSIONID addressing the malicious session. In response to which the server retrieves the file from the disk causing deserialization and execution of malicious JavaScript (JS) embedded into it, subsequently granting remote access to the attacker.

Wallarm emphasizes that the vulnerability can be easily exploited without the need for any form of authentication. The Base-64 encoded payloads would make it difficult for security tools such Web Application Firewalls (WAFs) to detect malicious PUT requests. The exploitation of CVE-2025-24813 in the wild, within 30 hours of disclosure of the PoC exploit code makes rapidly addressing the vulnerability critical. Ivan Novikov, Wallarm's CEO has stated that exploitation is being carried out by “Chinese operators”, and that the vulnerability will be added to CISA’s Known Exploited Vulnerabilities catalog in the near future.

It should be noted that successful exploitation requires specific configurations are enabled on a vulnerable server. To achieve information disclosure and the addition of malicious content, the following requirements must be met:

Writes enabled for the default servlet (non-default)
Support for partial PUT (enabled by default)
A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
Attacker knowledge of the names of security sensitive files being uploaded
The security sensitive files also being uploaded via partial PUT

In order for exploitation to result in Remote Code Execution, there are additional requirements:

Writes enabled for the default servlet (non-default)
Support for partial PUT (enabled by default)
Application is using Tomcat's file-based session persistence with the default storage location
Application included a library that may be leveraged in a deserialization attack

Impacted Versions list:

Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98

References:

[1] https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-24813
[3] https://www.shodan.io/search?query=server%3A+apache+tomcat
[4] https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/

ESENTIRE SERVICES

Managed Detection and Response

All-In-One MDR Solution →

MDR for Microsoft →

MDR for GenAI →

Digital Forensics and Incident Response

Continuous Threat Exposure Management (CTEM)

PLATFORM, PEOPLE AND RESPONSE

Security Operations Center (SOC)

Extended Detection and Response (XDR)

Technology Integrations

Threat Response Unit (TRU)

Cyber Resilience Team

Response and Remediation

24/7 MDR SIGNALS

Endpoint

Network

Log

Cloud

Identity

INDUSTRIES

Insurance

Construction

Finance

Legal

Manufacturing

Private Equity

Healthcare

Retail

Food Supply

Government and Education

Automotive Dealerships

USE CASES

Ransomware

Cybersecurity Compliance

Zero Day Attacks

Cloud Misconfiguration

Third-Party Risk

Do More With Less

Cyber Risk

Cyber Insurance

Sensitive Data Security

Security Leadership

Cyber Threat Intelligence

MDR Pricing

From The Blog

From Access to Encryption: Dissecting Hunters International's Latest…

eSentire and Qylis Form Strategic Partnership to Deliver Compliant…

Initial Takeaways from the Black Basta Chat Leaks

Resources

Case Studies

TRU Intelligence Center

Cybersecurity Tools

Videos

Reports

Webinars

Data Sheets

Real vs. Fake MDR

Compare MDR Vendors

Blogs

Security Advisories

SECURITY ADVISORIES

Apache Tomcat Vulnerability Exploited

Device Code Authentication Phishing