New Exploit Allows Remote Code Execution in Apache Tomcat
Patch Without Delay
| OEM | Apache |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2025-24813 |
| Exploited in Wild | Yes |
| POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The CVE-2025-24813 is recently identified Apache Tomcat vulnerability that is being actively exploited in the wild. Under certain circumstances, this vulnerability permits information disclosure and remote code execution (RCE).
A two-step exploit procedure can be used by attackers to take over compromised systems. Patching became more urgent after a proof-of-concept (PoC) vulnerability was made public within 30 hours of disclosure.
Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-24813 | Apache Tomcat | Critical |
Technical Summary
The vulnerability arises from Tomcat’s handling of PUT and GET requests in environments where specific configurations are enabled. Exploitation requires:
- Writes enabled for the default servlet
- Partial PUT support enabled
- Security-sensitive files stored in a sub-directory of public uploads
- Attacker knowledge of the file names
- Use of file-based session persistence
Successful exploitation allows attackers to upload malicious Java session files via a PUT request and trigger deserialization through a GET request, leading to RCE. A PoC exploit has been publicly released, making detection and mitigation critical.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24813 | Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98 | Exploits PUT and GET request handling, allowing arbitrary file injection and execution. | Remote Code Execution, Information Disclosure. |
Remediation:
- Update the Apache Tomcat versions to the latest one v11.0.3, v10.1.35, v9.0.99 to mitigate the vulnerability.
General Recommendations:
- Disable partial PUT support: Prevent attackers from leveraging the exploit by disabling this feature if not required.
- Restrict access to sensitive files: Ensure security-sensitive files are not stored in publicly accessible directories.
- Implement authentication controls: Strengthen authentication and authorization for file upload operations.
- Enhance API security: Deploy real-time API security solutions to detect and block malicious PUT requests.
Conclusion:
CVE-2025-24813 represents a significant security risk, with active exploitation already observed. The availability of a public PoC exploit further increases the likelihood of widespread attacks. The ease of exploitation and the potential for severe consequences make it critical for affected organizations to apply the latest patches immediately. Additionally, security teams should enhance monitoring for suspicious PUT and GET request patterns to mitigate this attack technique.
References:
