Full Report
A recently disclosed security flaw impacting Apache Tomcat has come under active exploitation in the wild following the release of a public proof-of-concept (PoC) a mere 30 hours after public disclosure. The vulnerability, tracked as CVE-2025-24813, affects the below versions - Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0-M1 to 9.0.98 It concerns a
Analysis Summary
# Vulnerability: Apache Tomcat Remote Code Execution via Partial PUT Requests
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: Information not explicitly provided in the text, but severity is implied as High due to active RCE exploitation.
- CWE: Not explicitly listed. (Likely related to Improper Neutralization of Special Elements in an Implemented File Upload operation or Deserialization of Untrusted Data)
## Affected Systems
- Products: Apache Tomcat
- Versions:
- 11.0.0-M1 to 11.0.2
- 10.1.0-M1 to 10.1.34
- 9.0.0-M1 to 9.0.98
- Configurations: Exploitation is most effective when:
1. Tomcat is using file-based session persistence with the default storage location.
2. The application includes a library leveraged in a deserialization attack.
3. Default servlet writes are enabled (disabled by default).
4. Partial PUT support is enabled (enabled by default).
## Vulnerability Description
The vulnerability lies in the way Apache Tomcat handles partial PUT requests. It can lead to information disclosure or Remote Code Execution (RCE) under specific conditions, particularly when file storage is involved.
**Information Disclosure/Content Injection:** If conditions are met (writes enabled for default servlet, partial PUT enabled, specific directory configurations), an attacker can send a PUT request to upload arbitrary content into security-sensitive files or view them.
**Remote Code Execution (RCE):** The confirmed RCE path involves abusing Tomcat's default file-based session persistence. An attacker sends a PUT request containing a Base64-encoded serialized Java session payload to Tomcat's session storage directory. Subsequently, the attacker triggers deserialization by making a GET request referencing the malicious session ID (`JSESSIONID`).
## Exploitation
- Status: **Actively exploited in the wild** just 30 hours after public disclosure.
- Complexity: **Low**. The attack requires no authentication and leverages default configurations (file-based sessions).
- Attack Vector: **Network**. (Requires sending HTTP PUT/GET requests).
## Impact
- Confidentiality: High (Information disclosure possible).
- Integrity: High (Arbitrary content injection possible, leading to RCE).
- Availability: Potential impact via resource exhaustion or system compromise leading to service disruption.
## Remediation
### Patches
- Update to the following patched versions:
- Apache Tomcat 9.0.99
- Apache Tomcat 10.1.35
- Apache Tomcat 11.0.3
### Workarounds
- As a temporary measure, organizations should consider disabling file-based session persistence if possible, as this is crucial to the observed RCE exploit chain.
## Detection
- **Indicators of Compromise (IOCs):**
- Network traffic showing unauthenticated HTTP PUT requests targeting Tomcat endpoints, especially those resulting in file writes to session storage directories or configuration files.
- GET requests referencing suspicious or unusually long `JSESSIONID` values immediately following a suspected session file upload.
- **Detection Methods and Tools:**
- Monitor web access logs for unusual PUT activity patterns.
- Web Application Firewalls (WAFs) or runtime security tools should be configured to look for suspicious session file manipulation or deserialization triggers.
## References
- Vendor Advisory (Implicit): [tomcat.apache.org/security-11.html](https://tomcat.apache.org/security-11.html) (CVE link context)
- Security Research Note: [lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/](https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/)