Apache Tomcat

Critical Apache Tomcat Vulnerabilities Enable RCE

Summary : Security Advisory : Apache Tomcat’s security updates address two critical issues affecting widely deployed server components. Attackers can now exploit flaws in Apache Tomcat where improper URL handling and inadequate input neutralization allow unauthorized access to restricted directories.

OEM	Oracle
Severity	Critical
CVSS Score	9.6
CVEs	CVE-2025-55754, CVE-2025-55752
POC Available	No
Actively Exploited	No
Advisory Version	1.0

Overview One issue allows attackers to bypass URL protections and upload malicious files, leading to remote code execution if misconfigured and another permits attackers to manipulate console outputs on Windows systems using crafted log entries.

Organizations should promptly update their servers, review configuration settings and enhance monitoring to mitigate these risks.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Improper Neutralization of Escape, Meta, or Control Sequences Vulnerability	CVE-2025-55754	Apache Tomcat	Critical	11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.40 through 9.0.108.
Path Traversal Vulnerability	CVE-2025-55752	Apache Tomcat	High	11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108.

Technical Summary This enable malicious file uploads, and inject control sequences affecting console behavior or system integrity.

These weaknesses increase the risk of unauthorized code execution and compromise of application environments.

CVE ID	Component Affected	Vulnerability Details	Impact
CVE-2025-55752	URL Rewrite Handler (Apache Tomcat Core)	A directory traversal flaw resulting from improper URL normalization and decoding order, allowing attackers to bypass /WEB-INF/ and /META-INF/ protections. If PUT requests are enabled, malicious actors can upload files to sensitive directories, potentially executing arbitrary code.	Remote code execution, full server compromise if Tomcat is misconfigured with PUT enabled.
CVE-2025-55754	Logging/Console Output	Improper neutralization of ANSI escape sequences in Tomcat log messages allows crafted URLs to inject control sequences. On Windows systems with ANSI-capable consoles, attackers can manipulate the console display and clipboard or potentially induce command execution via social engineering.	Console manipulation, potential administrator trickery, clipboard hijacking; less severe but can be chained for larger attacks.

Recommendations

Update Apache Tomcat to the following versions immediately:

For 11.x version updated to v11.0.11 or latest

For 10.x version updated to v10.1.45 or latest

For 9.x version updated to v9.0.109 or latest

If you not updating immediately you can follow some recommendations below

Disable or restrict PUT requests unless absolutely needed to prevent unauthorized file uploads.

Limit network access to Tomcat management interfaces to trusted administrators and secure sensitive directories.

Monitor logs and serves activity regularly for unusual or suspicious behavior indicative of exploitation attempts.

Conclusion:
The patches released by Apache Tomcat fix critical remote code execution and console manipulation bugs that could compromise servers.

Though no widespread exploitation is confirmed yet, immediate patching is strongly recommended to prevent serious security incidents. Security teams should apply these updates and monitor any suspicious server activity.

References:

https://lists.apache.org/thread/38vqp0v1fg4gr8c6lvm15wj6k67hxzxd

https://tomcat.apache.org/security-11.html

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass

Security Advisory; Summary

Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.

Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.

OEM	Apache
Severity	High
CVSS Score	8.4
CVEs	CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading.

Timely patching is essential to prevent potential service disruptions and unauthorized access.

Vulnerability Name	CVE ID	Product Affected	Severity
Memory Exhaustion via Multipart Header Exploitation	CVE-2025-48976	Apache Tomcat	High
Multipart Upload Resource Exhaustion	CVE-2025-48988	Apache Tomcat	High
Security Constraint Bypass (Pre/PostResources)	CVE-2025-49125	Apache Tomcat	High
Windows Installer Side-Loading Risk	CVE-2025-49124	Apache Tomcat	High

Technical Summary

The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-48976	Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7	Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS.	Denial-of-service attack.
CVE-2025-48988	Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7	Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts.	Denial-of-service attack.
CVE-2025-49125	Tomcat with Pre/Post Resources enabled	Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls.	Authentication and Authorization Bypass.
CVE-2025-49124	Tomcat Windows Installers	Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation.	Privilege Escalation.

Remediation:

Update Immediately: Users of the affected versions should apply one of the following mitigations.

Upgrade to Apache Tomcat 11.0.8 or later

Upgrade to Apache Tomcat 10.1.42 or later

Upgrade to Apache Tomcat 9.0.106 or later

Conclusion:

Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls.

The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.

Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.

References:

https://lists.apache.org/thread/w7dbnfyqn1yc05kbqqbbyct7wbomv7lf

https://lists.apache.org/thread/z2d63tflwvqvdg3crz8d1sy2v3xsr4n8

https://lists.apache.org/thread/khdh7y3y1wogjocrz8jy8mmqzmgc9y5o

https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db

New Exploit Allows Remote Code Execution in Apache Tomcat

Patch Without Delay

OEM	Apache
Severity	Critical
CVSS	9.8
CVEs	CVE-2025-24813
Exploited in Wild	Yes
POC Available	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

The CVE-2025-24813 is recently identified Apache Tomcat vulnerability that is being actively exploited in the wild. Under certain circumstances, this vulnerability permits information disclosure and remote code execution (RCE).

A two-step exploit procedure can be used by attackers to take over compromised systems. Patching became more urgent after a proof-of-concept (PoC) vulnerability was made public within 30 hours of disclosure.

Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

Vulnerability Name	CVE ID	Product Affected	Severity
Remote Code Execution Vulnerability	CVE-2025-24813	Apache Tomcat	Critical

Technical Summary

The vulnerability arises from Tomcat’s handling of PUT and GET requests in environments where specific configurations are enabled. Exploitation requires:

Writes enabled for the default servlet

Partial PUT support enabled

Security-sensitive files stored in a sub-directory of public uploads

Attacker knowledge of the file names

Use of file-based session persistence

Successful exploitation allows attackers to upload malicious Java session files via a PUT request and trigger deserialization through a GET request, leading to RCE. A PoC exploit has been publicly released, making detection and mitigation critical.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-24813	Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98	Exploits PUT and GET request handling, allowing arbitrary file injection and execution.	Remote Code Execution, Information Disclosure.

Remediation:

Update the Apache Tomcat versions to the latest one v11.0.3, v10.1.35, v9.0.99 to mitigate the vulnerability.

General Recommendations:

Disable partial PUT support: Prevent attackers from leveraging the exploit by disabling this feature if not required.

Restrict access to sensitive files: Ensure security-sensitive files are not stored in publicly accessible directories.

Implement authentication controls: Strengthen authentication and authorization for file upload operations.

Enhance API security: Deploy real-time API security solutions to detect and block malicious PUT requests.

Conclusion:

CVE-2025-24813 represents a significant security risk, with active exploitation already observed. The availability of a public PoC exploit further increases the likelihood of widespread attacks. The ease of exploitation and the potential for severe consequences make it critical for affected organizations to apply the latest patches immediately. Additionally, security teams should enhance monitoring for suspicious PUT and GET request patterns to mitigate this attack technique.

References:

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

https://xmcyber.com/blog/cve-2025-24813-critical-apache-tomcat-vulnerability-already-being-exploited-patch-now/

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Summary

OEM	Apache
Severity	Critical
CVSS	9.8
CVEs	CVE-2024-50379, CVE-2024-54677
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.

Vulnerability Name	CVE ID	Product Affected	Severity	Affected Version
Race Condition Vulnerability	CVE-2024-50379	Apache	Critical	Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97
Uncontrolled Resource Consumption Vulnerability	CVE-2024-54677	Apache	Medium	Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97

Technical Summary

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-50379	Apache Tomcat	A race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system.	Remote Code Execution
CVE-2024-54677	Apache Tomcat	The examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service.	Denial of Service

Remediation:

Upgrade Apache Tomcat to the latest fixed versions:
- Apache Tomcat 11.0.2 or latest
- Apache Tomcat 10.1.34 or latest
- Apache Tomcat 9.0.98 or latest

Recommendations:

Configuration Hardening:
- Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
- Remove or disable example applications to reduce exposure to potential attacks.
Monitor and Audit:
- Regularly review server logs for signs of exploitation attempts.
- Apply a robust file upload policy to limit sizes and validate content.
Regularly update all your software’s to address security vulnerabilities

References:

Scroll to top

Apache Tomcat

Critical Apache Tomcat Vulnerabilities Enable RCE

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass

New Exploit Allows Remote Code Execution in Apache Tomcat

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives