A critical security vulnerability identified as CVE-2025-24813 has been discovered in Apache Tomcat, a widely used open-source web server and servlet container. This flaw enables unauthenticated attackers to execute arbitrary code remotely, potentially leading to full control over affected servers. The vulnerability impacts Apache Tomcat versions 9.0.0-M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. The Apache Software Foundation has addressed this issue in versions 9.0.99, 10.1.35, and 11.0.3, urging users to update promptly to mitigate the risk.
Technical Details and Exploitation Mechanism
The vulnerability arises from Apache Tomcat’s handling of partial HTTP PUT requests combined with path equivalence issues. Attackers can exploit this flaw by sending a specially crafted PUT request containing a base64-encoded serialized Java payload to a writable directory on the server. This payload is designed to trigger remote code execution upon deserialization. Subsequently, the attacker sends a GET request with a manipulated JSESSIONID cookie, prompting the server to deserialize the payload and execute the malicious code.
Successful exploitation requires specific conditions:
– The default servlet must have write permissions enabled (non-default configuration).
– Partial PUT support must be enabled (enabled by default).
– The server must use file-based session persistence.
– A deserialization-vulnerable library must be present in the application stack.
These prerequisites are not typically met by default configurations, which may limit the scope of potential exploitation.
Active Exploitation and Global Impact
Security researchers have observed active exploitation attempts targeting this vulnerability across various sectors and regions. Notably, systems in the United States, Japan, India, South Korea, and Mexico have been identified as primary targets. The rapid development and dissemination of proof-of-concept (PoC) exploits have lowered the barrier for attackers, enabling even those with limited technical expertise to attempt exploitation. Despite the widespread attempts, the specific conditions required for successful exploitation have made it challenging for attackers to achieve their objectives.
Mitigation Strategies
To protect systems from potential exploitation of CVE-2025-24813, organizations are advised to implement the following measures:
1. Immediate Software Update: Upgrade Apache Tomcat to the patched versions—9.0.99, 10.1.35, or 11.0.3—as these releases contain fixes addressing the vulnerability.
2. Network-Level Controls: Implement network-level filtering to block suspicious requests and restrict access to the Tomcat server, thereby reducing the attack surface.
3. Disable Unnecessary HTTP Methods: Turn off support for partial PUT requests if not required, as this can prevent one of the exploitation vectors.
4. Enforce Strict Access Controls: Ensure that the default servlet’s write permissions are disabled (set to readonly=true) to prevent unauthorized file uploads.
5. Continuous Monitoring: Enable proper logging and monitoring to detect exploitation attempts. Utilize web application firewalls (WAFs) to detect and block malicious traffic effectively.
The Apache Software Foundation has released emergency patches for all supported versions of Tomcat. In their advisory, the Apache Tomcat security team emphasized the critical nature of this vulnerability and the evidence of active exploitation, strongly urging all users to update immediately.
Conclusion
The discovery and active exploitation of CVE-2025-24813 underscore the importance of maintaining up-to-date software and implementing robust security measures. Organizations utilizing Apache Tomcat should prioritize applying the recommended patches and reviewing their server configurations to mitigate potential risks. By staying vigilant and proactive, organizations can protect their systems from this and future vulnerabilities.
