Apache Tomcat RCE/Info Disclosure Bug Exploited in the Wild
Apache Tomcat RCE/Info Disclosure Bug Exploited in the Wild
Summary
On March 10, Apache disclosed CVE-2025-24813, a remote code execution and/or information disclosure vulnerability affecting certain versions (11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98) of their widely used Tomcat server software. While the vulnerability hasn’t yet been assigned a severity score, in-the-wild exploitation was observed as early as March 12 by API security vendor Wallarm and proof-of-concept exploit code has been publicly available since March 14. Successful exploitation depends on a few server configurations, but if those are met, an unauthenticated attacker could take over a vulnerable Tomcat server. Affected organizations should patch to an unaffected version of Tomcat as soon as possible and check server configurations; attacker tactics are likely to shift quickly due to the bug’s simplicity.
Affected Systems and/or Applications
The following Apache Tomcat versions (inclusive) are affected by CVE-2025-24813:
- 11.0.0-M1 – 11.0.2
- 10.1.0-M1 – 10.1.34
- 9.0.0.M1 – 9.0.98
Technical Details
From the Apache bulletin:
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat’s file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
The exploit abuses Tomcat’s default file-based session persistence mechanism and its partial PUT request support:
- The attacker uploads a malicious serialized Java session file via HTTP PUT request
- The attacker references the malicious session ID in a GET request, triggering deserialization (remote code execution)
Authentication is not required. The attacker only needs to be able to communicate with the Tomcat server.
Mitigation
To mitigate CVE-2025-24813, Apache recommends that all users upgrade to patched Tomcat versions:
- 11.0.3+
- 10.1.35+
- 9.0.99+
While that will suffice for this particular bug, Wallarm warns of the potential for more RCE vulnerabilities arising from Tomcat’s partial PUT request handling.
Organizations should additionally consider reverting to the default readonly=”true” servlet configuration, disabling partial PUT support, and avoiding the storage of sensitive files in a subdirectory of public upload paths.
What the Cyber Fusion Center is Doing
The CFC will continue to monitor the situation and send an advisory update if needed. Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.
- 732323
- 732322
- 732321
- 152821
- 6019167
- 5003040