A newly disclosed security flaw in Apache Tomcat is being actively exploited, following the release of a public proof-of-concept (PoC) just 30 hours after its disclosure.
Affected Apache Tomcat Versions
The vulnerability, tracked as CVE-2025-24813, impacts the following versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
How the Vulnerability Works
The issue stems from a combination of factors, including:
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- A target URL for security-sensitive uploads located within a public upload directory
- An attacker having knowledge of security-sensitive filenames
- Uploading security-sensitive files via partial PUT
Successful exploitation allows attackers to view or modify sensitive files via PUT requests. In certain conditions, attackers can also execute arbitrary code.
Remote code execution (RCE) is possible if the following conditions hold:
- Writes enabled for the default servlet
- Support for partial PUT enabled
- The application uses Tomcat’s file-based session persistence in the default storage location
- The application includes a library vulnerable to deserialization attacks
According to Wallarm, attackers exploit the vulnerability using a two-step process:
- The attacker uploads a serialized Java session file via a PUT request.
- The attacker triggers deserialization by sending a GET request with a JSESSIONID pointing to the malicious session.
The attack uses a Base64-encoded serialized Java payload written to Tomcat’s session storage directory, which is later executed upon deserialization.
Severity and Potential Impacts
Wallarm notes that the vulnerability is trivial to exploit and does not require authentication. The primary risk lies in Tomcat’s handling of partial PUT requests, which allows attackers to upload malicious JSP files, modify configurations, and plant backdoors.
The vulnerability has been patched in the following Apache Tomcat versions:
- Apache Tomcat 9.0.99
- Apache Tomcat 10.1.35
- Apache Tomcat 11.0.3
Users running affected versions should update their Tomcat instances immediately to prevent exploitation.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: