Skip to content
Contact us

Critical Vulnerability in Apache Tomcat: CVE-2025-24813

Picture of The 1898 & Co. Team

A critical vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, affecting versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98, as well as certain 8.5.x versions. This vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions, potentially leading to system compromise and exposure of sensitive data. Exploitation attempts have been observed in the wild, with multiple proof-of-concept exploits published, increasing the risk of ongoing attacks.

The vulnerability stems from Tomcat's handling of partial PUT requests, enabling remote code execution (RCE) and unauthorized access to security-sensitive files. Successful exploitation requires specific server configurations, such as enabled write permissions for the default servlet and partial PUT support. Although only a limited number of Tomcat instances are likely affected, the presence of public exploits and malicious IP addresses targeting this vulnerability underscores the need for immediate attention.

Organizations are urged to upgrade to the latest patched versions of Apache Tomcat or implement network-level controls to mitigate potential attacks. The Insikt Group has provided a Nuclei template to help defenders test for vulnerable instances, and Recorded Future offers tools for identifying internet-facing assets at risk.

Threats and Vulnerabilities

CVE-2025-24813 is a path equivalence vulnerability in Apache Tomcat that allows remote code execution and unauthorized file access. Attackers can exploit this flaw by sending a Base64-encoded serialized Java payload via a PUT request, followed by a GET request with a crafted "JSESSIONID" cookie to trigger code execution. The vulnerability affects specific Tomcat versions and requires certain server configurations for successful exploitation.

The potential impact includes system compromise, exposure of sensitive data, and unauthorized file modifications. Malicious IP addresses from various countries have been identified attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Despite no confirmed successful exploitations, the presence of public proof-of-concept exploits heightens the risk.

Client Impact

Clients using affected versions of Apache Tomcat may face operational disruptions due to system compromise or data breaches resulting from CVE-2025-24813 exploitation. Financial consequences could arise from unauthorized access to sensitive data or system downtime. Additionally, organizations may suffer reputation damage if customer data is exposed or services are interrupted.

From a compliance perspective, failure to address this vulnerability could lead to regulatory challenges or audits, especially if sensitive data is compromised. Organizations should assess their exposure and take immediate steps to mitigate risks associated with this vulnerability.

Mitigations

To mitigate the risks associated with CVE-2025-24813, clients should consider the following actions:

  1. Upgrade Apache Tomcat to version 11.0.3, 10.1.35, or 9.0.99 to address the vulnerability.
  2. For end-of-life (EoL) 8.5.x versions, transition to a supported branch of Apache Tomcat.
  3. Implement network-level controls to restrict access to the Tomcat server if upgrading is not immediately possible.
  4. Use the Nuclei template provided by Insikt Group to test for vulnerable instances.
  5. Monitor web server logs for unexpected JSP files or suspicious PUT requests indicating potential exploitation attempts.
  6. Deploy Web Application Firewalls (WAFs) to detect and block unauthorized file uploads or executions.

By taking these steps, organizations can reduce their exposure to potential attacks exploiting CVE-2025-24813. It is crucial to remain vigilant and continuously monitor for indicators of compromise while ensuring that all systems are updated with the latest security patches.

1898 & Co. Response

1898 & Co is actively addressing the threat landscape posed by vulnerabilities like CVE-2025-24813 through a range of services and solutions designed to enhance client security postures. Our team provides tailored vulnerability assessments and patch management strategies to help clients identify and remediate risks associated with outdated software versions.

We are updating our security protocols to incorporate the latest threat intelligence and exploit detection techniques, ensuring that our clients are equipped with robust defenses against emerging threats. Our collaborative efforts with industry partners and government agencies enable us to stay ahead of potential vulnerabilities and provide timely insights into threat actor activities.

Our ongoing research and threat intelligence gathering activities focus on identifying new attack vectors and developing effective mitigation strategies. By leveraging our expertise and resources, we strive to support clients in maintaining secure environments and minimizing the impact of cybersecurity threats.

Sources

  1. Apache Tomcat Security Advisory: CVE-2025-24813
  2. Apache Tomcat Security Advisory: CVE-2025-24813
  3. CVE Details for CVE-2025-24813
  4. CISA KEV advisory for Apache Tomcat vulnerability