A critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is under active exploitation. Attackers are leveraging this Tomcat flaw to gain complete control of vulnerable servers. The Apache Tomcat vulnerability allows attackers to execute arbitrary code on affected systems, posing a significant threat to enterprise security.
The RCE flaw allows attackers to take over servers with a simple PUT request. This is alarming because it doesn’t require authentication. Proof-of-concept (PoC) exploits appeared on GitHub within 30 hours of the vulnerability’s disclosure.
Wallarm security researchers confirmed the malicious activity. They highlighted that traditional security tools often miss these attacks. This is because the PUT requests look normal, and the malicious content is obfuscated using base64 encoding.
The attack involves sending a PUT request with a base64-encoded, serialized Java payload. This payload is saved to Tomcat’s session storage. A subsequent GET request, using a JSESSIONID cookie pointing to the uploaded session file, triggers Tomcat to deserialize and execute the malicious code. This grants the attacker complete control.
“This attack is dead simple to execute and requires no authentication,” explains Wallarm.
“The only requirement is that Tomcat is using file-based session storage, which is common in many deployments. Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”
Apache Tomcat flaw affects versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98
The security bulletin issued by Apache warned about the potential for attackers to view or inject content into sensitive files under specific conditions:
- Writes enabled for the default servlet (
readonly= "false") — (Disabled by default) - Support for partial PUT requests enabled (Enabled by default)
- Security-sensitive uploads in a subdirectory of a public upload directory
- Attacker knowledge of security-sensitive file names
- Uploads using partial PUT requests
Apache recommends upgrading to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+. These patched versions address CVE-2025-24813. Alternatively, organizations can mitigate the risk by reverting to the default servlet configuration (readonly= "true"), disabling partial PUT support, and avoiding storing sensitive files in subdirectories of public upload paths.
Wallarm warns that this is only the beginning. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,”.
Cautioned Wallarm
This highlights the need for proactive security measures and vigilance against evolving attack vectors. The Apache Tomcat RCE vulnerability underscores the critical need for robust security practices, including regular patching and vulnerability scanning.
Consider reviewing your organization’s security posture and implementing appropriate mitigation strategies immediately.
Helpful Reads:
