Situational Awareness Report: CVE-2025-24813 Apache Tomcat RCE

Overview CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability affecting Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability enables attackers to upload a malicious serialized payload to a vulnerable server, leading to arbitrary code…

March 18, 2025|Eric Taylor
DALL·E 2025-01-16 07.57.40 - A professional and visually striking graphic representing a cyber threat to a U.S. law firm's digital network. The image features a network map with i

Overview

CVE-2025-24813 is a critical Remote Code Execution (RCE) vulnerability affecting Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability enables attackers to upload a malicious serialized payload to a vulnerable server, leading to arbitrary code execution through a deserialization flaw under specific conditions. The recent release of a Proof of Concept (PoC) exploit on GitHub has heightened the risk, making it easier for attackers to exploit this vulnerability.


Vulnerability Details

CVE ID: CVE-2025-24813
Affected Versions:
  • Apache Tomcat 9.0.0.M1 to 9.0.98
  • Apache Tomcat 10.1.0-M1 to 10.1.34
  • Apache Tomcat 11.0.0-M1 to 11.0.2
Conditions for Exploitation:
  • The server must permit PUT requests to a writable directory (e.g., /uploads/../sessions/).
  • The uploaded session file must be processed (e.g., via a GET request to /index.jsp), triggering deserialization of the malicious payload.
  • The attacker’s system requires Java to generate payloads, typically using tools like ysoserial.

Proof of Concept (PoC)

A PoC exploit script has been publicly released on GitHub at POC-CVE-2025-24813. This script automates the exploitation process, significantly lowering the technical barrier for attackers and increasing the likelihood of widespread exploitation attempts.
Impact
Severity: Critical
Potential Consequences: Successful exploitation grants attackers full control of the affected server, potentially leading to:
  • Data theft
  • Server compromise
  • Further infiltration into the network

Active Exploitation: Reports indicate that this vulnerability is being actively exploited in the wild, with attackers leveraging simple PUT requests to upload malicious payloads and execute code remotely.

Mitigation and Patches

Patched Versions: The Apache Software Foundation has addressed this vulnerability in the following releases:
  • Apache Tomcat 9.0.99
  • Apache Tomcat 10.1.35
  • Apache Tomcat 11.0.3
Recommended Actions:
  • Update Immediately: Upgrade to the latest patched versions of Apache Tomcat.
  • Restrict PUT Requests: Disable PUT requests if not required, or limit access to writable directories.
  • Monitor Logs: Check server logs for indicators of exploitation, such as unusual PUT requests or deserialization attempts.

Current Threat Landscape

The public availability of the PoC, combined with reports of active exploitation, underscores the urgency of addressing CVE-2025-24813. Organizations running affected versions of Apache Tomcat face an elevated risk of compromise and should prioritize patching and mitigation efforts to safeguard their systems.

Conclusion

CVE-2025-24813 represents a critical threat to Apache Tomcat deployments due to its ease of exploitation and the release of a functional PoC. Immediate action—updating to patched versions and implementing recommended mitigations—is essential to protect against potential attacks and minimize the risk of server compromise.

RELATED

SPOTREP: SuperBlack Ransomware Campaign

By Eric Taylor | March 13, 2025

Executive Summary: SuperBlack Ransomware Campaign The SuperBlack ransomware campaign, active since late January 2025, presents a serious threat to organizations…

Executive Summary – Continued Attacks on USA Law Firms

By Eric Taylor | January 16, 2025

Executive Summary A cybercriminal operating under the alias CeFarir0ne has put up for sale unauthorized Remote Desktop Protocol (RDP) access to an…

Executive Summary – Shadow Syndicate

By Eric Taylor | January 15, 2025
,

Executive Summary In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate,…