Security Intelligence
Loading table of contents...
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-24813, has been discovered in Apache Tomcat, allowing attackers to gain complete control over servers using a simple PUT request. Proof-of-concept exploits were published on GitHub within 30 hours of the flaw's disclosure, and malicious actors are actively exploiting this vulnerability.
Security researchers have observed that traditional security tools often fail to detect these attacks because the PUT requests appear normal, and the malicious content is obfuscated using base64 encoding. The attack involves sending a PUT request with a base64-encoded serialized Java payload to Tomcat's session storage.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
Subsequently, a GET request with a JSESSIONID cookie pointing to the uploaded session file triggers Tomcat to deserialize and execute the malicious code. This method requires no authentication and exploits Tomcat's acceptance of partial PUT requests alongside its default session persistence.
The vulnerability affects Apache Tomcat versions:
- 0.0-M1 to 11.0.2
- 1.0-M1 to 10.1.34
- 0.0.M1 to 9.0.98
To mitigate the risk, it is recommended to upgrade to Tomcat versions 11.0.3 or later, 10.1.35 or later, or 9.0.99 or later.
Alternatively, users can revert to the default servlet configuration (readonly="true"), disable partial PUT support, and avoid storing security-sensitive files in subdirectories of public upload paths.
Source: Bleeping Computer
Analysis
Apache Tomcat is an open-source Java servlet container developed by the Apache Software Foundation (ASF). It is widely used to deploy and run Java-based web applications, specifically those using Java Servlets, JavaServer Pages (JSP), and WebSockets.
Once a threat actor successfully exploits the Apache Tomcat vulnerability (CVE-2025-24813), they gain the ability to execute arbitrary code on the compromised server, opening the door to several malicious actions, including:
- Deploying webshells & backdoors
- Lateral movement
- Ransomware & data theft
- Cryptojacking
- Server takeover for botnets
CVE-2025-24813 poses a critical risk due to its ease of exploitation, public availability of proof-of-concept (PoC) exploits, and Tomcat’s widespread use in enterprises, cloud environments, and critical infrastructure. Attackers only need to send an unauthenticated PUT request with a base64-encoded payload to gain remote code execution, making exploitation straightforward. If Tomcat is running with high privileges, attackers could escalate their access, further increasing the threat. Thus, organizations should treat this vulnerability as a high-priority security risk.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in open-source web servers like Tomcat. Field Effect MDR users are automatically notified if a vulnerability is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users upgrade to the patched versions—11.0.3, 10.1.35, or 9.0.99. Additionally, restricting or disabling PUT requests if not needed can reduce the attack surface, as well as enforcing read-only configurations (readonly="true") in the default servlet settings.
Security teams should actively monitor server logs for unusual PUT requests or unauthorized session manipulations, as these could indicate attempted exploitation. Hardening Tomcat configurations, restricting file upload permissions, and applying network-level controls can further reduce the risk of compromise.
