Remote Code Execution (RCE) vulnerability impacting Apache Tomcat under active exploitation (CVE-2025-24813)

Summary

Cyble's Security Update Advisory provides a synopsis of the latest vulnerability patches released by various vendors. This advisory covers a recently disclosed vulnerability in Apache Tomcat that is being actively exploited in the wild, merely 30 hours after its public disclosure, following the release of a proof-of-concept (PoC).

Based on naming standards followed by Common Vulnerabilities and Exposures (CVE) and severity standards as defined by the Common Vulnerability Scoring System (CVSS), vulnerabilities are classified as high, medium, and low vulnerabilities.

Vulnerability Details

Remote Code Execution

CVE-2025-24813

CVSSv3.1

NA

Severity

Critical

Vulnerable Versions

Apache Tomcat 11.0.0-M1 to 11.0.2

Apache Tomcat 10.1.0-M1 to 10.1.34

Apache Tomcat 9.0.0.M1 to 9.0.98

Description

The affected versions of Apache Tomcat accept path input in the form of an internal dot without appropriate validation, which allows an attacker to perform remote code execution, gain access to security-sensitive files, and/or inject content into those files.

To gain access to security-sensitive files and/or inject content into those files, the following conditions need to be true:

• Writes enabled for the default servlet (disabled by default)

• Support for partial PUT (enabled by default)

• Target URL for security-sensitive uploads is a sub-directory of a target URL for public uploads

• Attacker knowledge of the names of security-sensitive files being uploaded

• The security-sensitive files also being uploaded via partial PUT

To perform remote code execution, the following conditions need to be true:

• Writes enabled for the default servlet (disabled by default)

• Support for partial PUT (enabled by default)

• The application was using Tomcat's file-based session persistence with the default storage location

• Application included a library that may be leveraged in a deserialization attack

Additional Information

According to Wallarm security researchers –“ The first attack was detected by Wallarm on Mar 12, 12:38:29pm (CST), coming from Poland a few days before the first public exploit “.

Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit works in two steps:

1. The attacker uploads a serialized Java session file via a PUT request

2. The attacker triggers deserialization by referencing the malicious session ID in a GET request

Step 1: Uploading a Malicious Serialized Session

The attacker starts by sending a PUT request to upload a malicious session file to the server. The payload is a base64-encoded ysoserial gadget chain designed to trigger remote code execution when deserialized. This request writes a file inside Tomcat’s session storage directory. Because Tomcat automatically saves session data in files, the malicious payload is now stored on disk, waiting to be deserialized.

Step 2: Triggering Execution via Session Cookie

Once the session file is uploaded, the attacker triggers deserialization by sending a simple GET request with the JSESSIONID pointing to the malicious session. Tomcat, seeing this session ID, retrieves the stored file, deserializes it, and executes the embedded Java code, granting full remote access to the attacker.

Nuclei template for CVE-2025-24813 is available in the public domain - Link

Users of vulnerable versions of Apache Tomcat are advised to utilize Cyble’s ODIN scanner to check whether their asset is internet-facing using the below search query:

- https://search.odin.io/hosts?query=services.product%3A%22Apache+Tomcat%22

Patch Link

Link

Recommendations

• Implement the latest patch released by the official vendor: Regularly update all software and hardware systems with the latest patches from official vendors to mitigate vulnerabilities and protect against exploits. Establish a routine schedule for patch application and ensure critical patches are applied immediately.

• Enhance Web Application Firewall (WAF) Rules: Deploy or update WAF rules to detect and block suspicious base64-encoded payloads and unusual requests targeting session storage mechanisms.

• Implement Least Privilege and Access Controls: Restrict access to Tomcat servers and ensure minimal user privileges for processes interacting with session files.

• Implement a robust patch management process: Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

• Incident response and recovery plan: Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

• Monitoring and logging malicious activities across the network: Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

Conclusion

The newly disclosed vulnerability in Apache Tomcat (CVE-2025-24813) is dangerously simple to exploit, requiring no authentication. The only condition is that Tomcat is configured with file-based session storage—an extremely common setup. What makes this even more alarming is that the exploit leverages base64 encoding to bypass traditional security filters, making detection significantly more difficult. CVE-2025-24813 went from disclosure to public exploitation in just 30 hours, highlighting the critical nature of this flaw. Without prompt patching, attackers can easily compromise affected systems, potentially leading to data breaches, unauthorized access, and further system compromise. Given the rapid weaponization of this vulnerability, organizations must act immediately to apply security updates and mitigate the risk before threat actors take advantage of unpatched systems.