Situational Awareness Report: CVE-2025-24813 Apache Tomcat RCE

Overview CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability affecting Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability enables attackers to upload a malicious serialized payload to a vulnerable server, leading to arbitrary code…

March 18, 2025|Eric Taylor
Report: Situational Awareness on Apache Tomcat

Overview

CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability affecting Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability enables attackers to upload a malicious serialized payload to a vulnerable server, leading to arbitrary code execution through a deserialization flaw under specific conditions. The recent release of a Proof of Concept (PoC) exploit on GitHub has heightened the risk, making it easier for attackers to exploit this vulnerability.


Vulnerability Details

CVE ID: CVE-2025-24813
Affected Versions:
  • Apache Tomcat 9.0.0.M1 to 9.0.98
  • Apache Tomcat 10.1.0-M1 to 10.1.34
  • Apache Tomcat 11.0.0-M1 to 11.0.2
Conditions for Exploitation:
  • The server must permit PUT requests to a writable directory (e.g., /uploads/../sessions/).
  • The uploaded session file must be processed (e.g., via a GET request to /index.jsp), triggering deserialization of the malicious payload.
  • The attacker’s system requires Java to generate payloads, typically using tools like ysoserial.

Proof of Concept (PoC)

A PoC exploit script has been publicly released on GitHub at POC-CVE-2025-24813. This script automates the exploitation process, significantly lowering the technical barrier for attackers and increasing the likelihood of widespread exploitation attempts.
Impact
Severity: Critical
Potential Consequences: Successful exploitation grants attackers full control of the affected server, potentially leading to:
  • Data theft
  • Server compromise
  • Further infiltration into the network

Active Exploitation: Reports indicate that this vulnerability is being actively exploited in the wild, with attackers leveraging simple PUT requests to upload malicious payloads and execute code remotely.

Mitigation and Patches

Patched Versions: The Apache Software Foundation has addressed this vulnerability in the following releases:
  • Apache Tomcat 9.0.99
  • Apache Tomcat 10.1.35
  • Apache Tomcat 11.0.3
Recommended Actions:
  • Update Immediately: Upgrade to the latest patched versions of Apache Tomcat.
  • Restrict PUT Requests: Disable PUT requests if not required, or limit access to writable directories.
  • Monitor Logs: Check server logs for indicators of exploitation, such as unusual PUT requests or deserialization attempts.

Current Threat Landscape

The public availability of the PoC, combined with reports of active exploitation, underscores the urgency of addressing CVE-2025-24813. Organizations running affected versions of Apache Tomcat face an elevated risk of compromise and should prioritize patching and mitigation efforts to safeguard their systems.

Conclusion

CVE-2025-24813 represents a critical threat to Apache Tomcat deployments due to its ease of exploitation and the release of a functional PoC. Immediate action—updating to patched versions and implementing recommended mitigations—is essential to protect against potential attacks and minimize the risk of server compromise.
Discover more articles, reports, SPOTREPs, and Executive Summaries in the Blog section of our website.

RELATED

Advisory: Navigating the CVE Transition

Navigating the CVE Transition: Insights on GCVE, CVE Foundation, and Beyond

By Eric Taylor | April 16, 2025
,

The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE since 1999, has been a cornerstone of global cybersecurity, providing…

Barricade Cyber Solutions Report: Critical CVEs and Associated Threats

Critical CVEs and Associated Threats

By Eric Taylor | April 14, 2025

This report was prepared by Barricade Cyber Solutions and aims to inform our clients and prospects about critical Common Vulnerabilities…

SPOTREP: Exploitation of Windows CLFS Zer-Day Vulnerability, CVE 2025-29824

SPOTREP: Exploitation of Windows CLFS Zero-Day Vulnerability (CVE-2025-29824)

By Eric Taylor | April 9, 2025
,

Vulnerability Details: Zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) Tracked as CVE-2025-29824 Allows escalation from…