Latest Posts
UPDATE: 🚨 CVE-2025-24054 Is Being Exploited — Patch Windows Now or Get BurnedApple Hit with Back-to-Back Zero-DaysWindows Task Scheduler Flaw: Your Scheduled Nightmare Has BegunPriviledged Access Management Training for IT EmployeesPAN-OS CVE-2025-0128: One Packet, One Big Problem for Your Firewall

EXPLOITED in 30 HOURS. Critical RCE flaw in Apache Tomcat leads to RCE

by | Mar 17, 2025 | Bulletins

EXPLOITED in 30 HOURS. Critical RCE flaw in Apache Tomcat leads to RCE

by | Mar 17, 2025 | Bulletins

A new vulnerability in Apache Tomcat is being actively exploited—here’s what you need to know.

The Short Version:

If you’re running Apache Tomcat, you need to take action. A newly disclosed path equivalence vulnerability (CVE-2025-24813) allows attackers to upload malicious files, manipulate data, and even execute remote code—all without authentication. This is not a theoretical risk; it’s already being exploited in the wild.

What’s the Threat?

CVE-2025-24813 is a path equivalence bug affecting Tomcat’s write-enabled Default Servlet when handling filenames with internal dots (e.g., file.txt). Attackers can exploit partial PUT requests to place files into Tomcat’s session storage, creating an avenue for Remote Code Execution (RCE) or unauthorized file manipulation. In short, a misconfigured Tomcat instance could give attackers more access than you’d ever want.

Affected Versions:

  • Apache Tomcat 9.0.0.M1 – 9.0.98

  • Apache Tomcat 10.1.0-M1 – 10.1.34

  • Apache Tomcat 11.0.0-M1 – 11.0.2

If you’re running one of these, updating should be a top priority.

The RCE Attack Chain

  1. Malicious Upload: The attacker sends a partial PUT request with a Base64-encoded serialized Java payload, storing it in Tomcat’s session storage directory.

  2. Triggering Execution: The attacker sends a GET request with a JSESSIONID cookie pointing to the uploaded payload.

  3. Code Execution: If the system has vulnerable libraries (such as Apache Commons Collections), Tomcat deserializes the payload and executes the attacker’s code.

Other Security Risks:

  • Unauthorized File Access: If Default Servlet write permissions are enabled, attackers can modify or access sensitive files.

  • Credential Theft: Configuration files containing API keys or passwords could be exposed.

  • Lateral Movement: A compromised Tomcat server could become a launching point for further attacks.

Why This Matters

  • No authentication required 🚨

  • Exploitable remotely 🌍

  • Already being actively used by attackers 🎯

This is not the kind of issue you want to ignore.

Mitigation Steps

Patch Immediately: The best way to fix this issue is to upgrade to a patched version:

  • Tomcat 9.0.99+

  • Tomcat 10.1.35+

  • Tomcat 11.0.3+

If Immediate Patching Isn’t Possible, Apply These Mitigations:

  • Disable write permissions for the Default Servlet (readonly=true in conf/web.xml).

  • Disable partial PUT requests (allowPartialPut=false in conf/web.xml).

  • Turn off file-based session persistence (remove <Manager> in context.xml).

  • Restrict upload directory permissions to limit where files can be placed.

Indicators of Compromise (IOCs)

  • Unusual PUT requests with .. or other path manipulation techniques.

  • A sudden PUT followed by a GET with JSESSIONID (possible RCE attempt).

  • Unexpected files appearing in Tomcat’s session storage.

  • Suspicious Java processes running on the Tomcat server.

Final Thoughts

CVE-2025-24813 is a serious security risk that requires immediate attention. If you run Apache Tomcat, patch your system or apply mitigations now to reduce exposure. Staying proactive is the best way to keep your systems secure.

Search