Critical RCE flaw in Apache Tomcat actively exploited in attacks

A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.

Hackers are reportedly leveraging proof-of-concept (PoC) exploits that were published on GitHub just 30 hours after the flaw was disclosed last week.

The malicious activity was confirmed by Wallarm security researchers, who warned that traditional security tools fail to detect it as PUT requests appear normal and the malicious content is obfuscated using base64 encoding.

Specifically, the attacker sends a PUT request containing a base64-encoded serialized Java payload saved to Tomcat’s session storage.

The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker.

The attack does not require authentication and is caused by Tomcat accepting partial PUT requests and its default session persistence.

“This attack is dead simple to execute and requires no authentication,” explains Wallarm.

“The only requirement is that Tomcat is using file-based session storage, which is common in many deployments. Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”

The Tomcat RCE

The CVE-2025-24813 remote code execution vulnerability flaw was first disclosed by Apache on Monday 10, 2025, impacting Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.

The security bulletin warned users that, under certain conditions, an attacker could view or inject arbitrary content on security-sensitive files.

The conditions were the following:

• Writes enabled for the default servlet (readonly= “false”) — (Disabled by default)
• Support for partial PUT is enabled (Enabled by default.)
• Security-sensitive uploads occur in a sub-directory of a public upload directory.
• The attacker knows the names of security-sensitive files being uploaded.
• These security-sensitive files are being uploaded using partial PUT.

Apache recommended that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which are patched against CVE-2025-24813.

Tomcat users may also mitigate the problem by reverting to the default servlet configuration (readonly= “true”), turning off partial PUT support, and avoiding storing security-sensitive files in a subdirectory of public upload paths.

Wallarm warns that the bigger issue highlighted in this case isn’t the exploitation activity itself but the potential for more RCE vulnerabilities arising from the partial PUT handling in Tomcat.

“Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,” cautioned Wallarm.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025