Blog

Critical RCE flaw in Apache Tomcat actively exploited in attacks

4 hours ago
2 minutes read

A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.

Hackers are reportedly leveraging proof-of-concept (PoC) exploits that were published on GitHub just 30 hours after the flaw was disclosed last week.

The malicious activity was confirmed by Wallarm security researchers, who warned that traditional security tools fail to detect it as PUT requests appear normal and the malicious content is obfuscated using base64 encoding.

Specifically, the attacker sends a PUT request containing a base64-encoded serialized Java payload saved to Tomcat’s session storage.

The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker.

The attack does not require authentication and is caused by Tomcat accepting partial PUT requests and its default session persistence.

“This attack is dead simple to execute and requires no authentication,” explains Wallarm.

“The only requirement is that Tomcat is using file-based session storage, which is common in many deployments. Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”

The Tomcat RCE

The CVE-2025-24813 remote code execution vulnerability flaw was first disclosed by Apache on Monday 10, 2025, impacting Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.

The security bulletin warned users that, under certain conditions, an attacker could view or inject arbitrary content on security-sensitive files.

The conditions were the following:

  • Writes enabled for the default servlet (readonly= “false”) — (Disabled by default)

  • Support for partial PUT is enabled (Enabled by default.)

  • Security-sensitive uploads occur in a sub-directory of a public upload directory.

  • The attacker knows the names of security-sensitive files being uploaded.

  • These security-sensitive files are being uploaded using partial PUT.

Apache recommended that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which are patched against CVE-2025-24813.

Tomcat users may also mitigate the problem by reverting to the default servlet configuration (readonly= “true”), turning off partial PUT support, and avoiding storing security-sensitive files in a subdirectory of public upload paths.

Wallarm warns that the bigger issue highlighted in this case isn’t the exploitation activity itself but the potential for more RCE vulnerabilities arising from the partial PUT handling in Tomcat.

“Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,” cautioned Wallarm.


Red Report 2025

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.


Source link

Tags
4 hours ago
2 minutes read

Related Articles

Cisco’s AI agents for WebEx aim to improve customer service – Computerworld

2 hours ago

The Seven Biggest Mistakes You Can Make Spring Cleaning

2 hours ago

How to backup Windows 11 to external USB drive

2 hours ago

This New Open-Source Alternative to Google Docs and Notion Is Backed by France and Germany

2 hours ago

Which One’s Easier & Safer to Use?

3 hours ago

Last night’s ‘White Lotus’ cameo is less surprising than you think

3 hours ago

Zoom’s AI will soon help you do busywork, too

4 hours ago

What is an APT and how are they tracked?

4 hours ago

Manus AI Is Not China’s Second DeepSeek Moment; See Beyond the Hype

4 hours ago

What’s the best location to set my VPN when torrenting?

6 hours ago
Back to top button
close