Cve-2025-24813: Rce Vulnerability In Apache Tomcat Exploited In The Wild

A newly discovered severe remote code execution (RCE) flaw in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited in the wild. Attackers are using a simple PUT request to take over vulnerable servers. Exploit code was published just 30 hours after the vulnerability disclosure, allowing threat actors to leverage base64-encoded payloads that bypass traditional security tools.

Severity Level: High

VULNERABILITY OVERVIEW

1. CVE-2025-24813 is a remote code execution, information disclosure, and malicious content injection issue in Apache Tomcat. CVSS Score: Not Available.

2. Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.2; Apache Tomcat 10.1.0-M1 to 10.1.34; and Apache Tomcat 9.0.0.M1 to 9.0.98.

3. The root cause of this vulnerability lies in the way Tomcat handles session data, and the partial PUT requests. Specifically:

• Session Storage Handling: Tomcat uses file-based session storage by default, where session data is saved as files on the server. This storage method can be manipulated if an attacker uploads a malicious payload to the session directory.
• Partial PUT Requests: Tomcat supports partial PUT requests that can upload files into the session storage, which can be exploited to upload a serialized Java session file containing malicious code.
• Deserialization Mechanism: The server retrieves and deserializes session data when an incoming request contains a session ID, without properly validating the content. This flaw allows attackers to inject malicious serialized Java code.

4. The exploit for CVE-2025-24813 was first published by a user named iSee857 on a Chinese forum and quickly gained traction, with the proof-of-concept (PoC) already available online.

5. The exploit involves two key steps:

• Step-1: Uploading a Malicious Serialized Session: The attacker sends a PUT request to upload a malicious serialized session file containing a crafted ysoserial gadget chain. The file is saved to Tomcat’s session storage directory.
• Step-2: Triggering Remote Code Execution: The attacker then sends a simple GET request that includes the malicious session ID (JSESSIONID). Tomcat retrieves the corresponding session file and deserializes it, executing the embedded Java code and granting the attacker full remote access to the server.

6. The exploit is effective because it does not trigger alarms in traditional security systems due to:

• The PUT request looking normal and not containing obvious malicious payloads.
• The use of base64 encoding to obfuscate the malicious content.
• The multi-step nature of the attack where harmful actions only take place during the deserialization step.

Recommendations:

1. Users of the affected versions should apply one of the following mitigations: Upgrade to Apache Tomcat 11.0.3 or later; Upgrade to Apache Tomcat 10.1.35 or later; Upgrade to Apache Tomcat 9.0.99 or later.
2. Tomcat users may also mitigate the problem by reverting to the default servlet configuration (readonly= “true”), turning off partial PUT support, and avoiding storing security-sensitive files in a subdirectory of public upload paths.
3. Ensure that sessions are managed securely by setting appropriate session expiration policies, utilizing secure cookies, and enforcing secure session storage mechanisms.

SOURCES:

• https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
• https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.

No related posts found.