Post

Rapid Exploitation of New Apache Tomcat Flaw Following PoC Release

Posted
By Vitus White
3 min read
Rapid Exploitation of New Apache Tomcat Flaw Following PoC Release

TL;DR

Threat actors swiftly exploited a recently disclosed Apache Tomcat vulnerability (CVE-2025-24813) after the public release of a Proof of Concept (PoC) exploit code. This flaw allows remote code execution or information disclosure under specific conditions.

Introduction

Threat actors began exploiting a recently disclosed Apache Tomcat vulnerability immediately after the release of a Proof of Concept (PoC) exploit code. This vulnerability, tracked as CVE-2025-24813, is being actively exploited just 30 hours after a public PoC was released.

Vulnerability Overview

The issue is a path equivalence flaw in Apache Tomcat that allows remote code execution or information disclosure if specific conditions are met. The vulnerability affects multiple versions including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Exploitation requires write-enabled default servlet, partial PUT support, and specific file handling conditions1.

Conditions for Exploitation

The original implementation of partial PUT used a temporary file based on the user-provided file name and path with the path separator replaced by “.”.2

If all of the following conditions are true, a malicious user could view security-sensitive files and/or inject content into those files:

  • Writes enabled for the default servlet (disabled by default)
  • Support for partial PUT (enabled by default)
  • A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads
  • Attacker knowledge of the names of security-sensitive files being uploaded
  • The security-sensitive files also being uploaded via partial PUT

If all of the following conditions are true, a malicious user could perform remote code execution:

  • Writes enabled for the default servlet (disabled by default)
  • Support for partial PUT (enabled by default)
  • Application using Tomcat’s file-based session persistence with the default storage location
  • Application included a library that may be leveraged in a deserialization attack

Mitigation

Tomcat versions 9.0.99, 10.1.35, and 11.0 have addressed the vulnerability3. Users are recommended to update their affected Tomcat versions immediately to mitigate potential threats.

Active Exploitation

Wallarm researchers confirmed active exploitation of the flaw and added that attackers can hijack Apache Tomcat servers with a single PUT API request. The PoC is available online4.

The attack exploits Tomcat’s session persistence and partial PUT requests by uploading a malicious Java session file and triggering deserialization via a GET request.

Attack Steps

  1. Uploading a Malicious Serialized Session: The attacker sends a PUT request containing a base64-encoded ysoserial gadget chain, storing it in Tomcat’s session directory.
  2. Triggering Execution via Session Cookie: A GET request with the JSESSIONID referencing the malicious session forces Tomcat to deserialize and execute the payload, granting remote access.

Challenges in Detection

Wallarm researchers warn that most Web Application Firewalls (WAFs) fail to detect this attack because the PUT request appears normal and lacks obvious malicious content. The payload is base64-encoded, evading pattern-based detection, and the attack occurs in two steps, with execution happening only during deserialization. Additionally, most WAFs do not thoroughly inspect uploaded files or track multi-step exploits5.

Conclusion

The rapid exploitation of the Apache Tomcat vulnerability highlights the importance of timely updates and vigilant security practices. Organizations using affected versions should prioritize patching to prevent potential breaches.

Additional Resources

For further insights, check:

References

  1. Apache Tomcat (2025). “Security vulnerabilities fixed in Apache Tomcat”. Apache Tomcat. Retrieved 2025-03-17. ↩︎

  2. Apache Tomcat (2025). “Security vulnerabilities fixed in Apache Tomcat”. Apache Tomcat. Retrieved 2025-03-17. ↩︎

  3. Apache Tomcat (2025). “Security vulnerabilities fixed in Apache Tomcat”. Apache Tomcat. Retrieved 2025-03-17. ↩︎

  4. Wallarm (2025). “One PUT request to own Tomcat: CVE-2025-24813 RCE is in the wild”. Wallarm. Retrieved 2025-03-17. ↩︎

  5. Wallarm (2025). “One PUT request to own Tomcat: CVE-2025-24813 RCE is in the wild”. Wallarm. Retrieved 2025-03-17 ↩︎

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity threat intelligence apache tomcat
This post is licensed under CC BY 4.0 by the author.