Impact
Remote Code Execution (RCE) is the primary risk associated with this vulnerability. Successful exploitation allows attackers to execute arbitrary code on affected systems, which could lead to:
Unauthorized access to sensitive data
Compromise of system integrity
Potential further exploitation of the affected server
Exploitation has been observed actively, with significant efforts being made to target systems in countries like the United States, Japan, India, South Korea, and Mexico. This attack can spread rapidly due to Apache Tomcat's widespread use.
21st March 2025
Active Exploitation of Vulnerability in Apache Tomcat Servers
(CVE-2025-24813)
Severity Level: 3
Recently, our Threat Intel Team has come across a significant security vulnerability in Apache Tomcat, identified as CVE-2025-24813, which could enable unauthorized remote code execution (RCE) on vulnerable systems. The vulnerability is linked to how Apache Tomcat handles file paths during partial PUT requests, creating a security loophole that could allow attackers to upload malicious payloads leading to potential RCE. This vulnerability affects multiple versions of Apache Tomcat, and exploitation attempts have already been observed. With a CVSS 3.1 score of 9.8 (Critical), this vulnerability represents a significant risk for organizations using vulnerable versions of Apache Tomcat.
Technical Details
The vulnerability arises from improper handling of file paths during partial PUT requests in Apache Tomcat. When a user uploads a file, Apache Tomcat creates a temporary file using the provided filename and path, replacing path separators with dots. This process, initially intended to guard against path traversal attacks, has inadvertently introduced a new vulnerability.
Exploitation Process:
1. Step 1 – Malicious File Upload: An attacker sends a crafted PUT request to upload a Java session file with a manipulated file name and path, exploiting the path equivalence vulnerability.
2. Step 2 – Triggering Deserialization: The attacker then sends a GET request referencing the malicious session ID, triggering the deserialization of the uploaded file. This can lead to remote code execution if the deserialized file contains executable code.
This vulnerability affects the following versions of Apache Tomcat:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0-M1 to 9.0.98
Detection Method
Organizations should monitor their web server logs for unusual or unexpected PUT requests, especially those that attempt to upload Java session files or other suspicious file types. Logs should be checked for the following indicators:
PUT requests with unusual or malformed file paths
Evidence of deserialization activity tied to malicious session IDs
Requests originating from known malicious IP addresses
Indicators of Compromise
IP Addresses:
176.65.138.172
38.126.114.186
188.213.161.98
140.143.182.115
196.240.54.120
Recommendations
To mitigate the risks associated with CVE-2025-24813, organizations should take the following actions:
1. Apply Patches: Immediately apply the latest security patches released by Apache for affected Tomcat versions.
• Apache Tomcat 11.0.3 or later (for 11.x versions)
• Apache Tomcat 10.1.35 or later (for 10.x versions)
• Apache Tomcat 9.0.99 or later (for 9.x versions)
2. Monitor Web Server Logs: Continuously monitor logs for any unusual PUT or GET requests, particularly those involving the upload of session files.
3. Block Malicious IPs: Use threat intelligence feeds to block IPs involved in the exploitation attempts.
4. Deploy Web Application Firewalls (WAF): Implement WAF rules to detect and block malicious payloads associated with this vulnerability.
5. Review Server Configuration: Ensure that the default servlet does not have write capability enabled unless absolutely necessary and restrict the use of partial PUT requests where possible.
6. Evaluate Use of Deserialization Libraries: Review applications for any libraries that might vulnerable to deserialization attacks and ensure they are updated or mitigated appropriately.
Conclusion
CVE-2025-24813 is a high-risk vulnerability in Apache Tomcat that enables remote code execution through a flaw in how the server handles partial PUT requests. Exploitation attempts have already been observed, and while specific configurations are required for successful exploitation, the risk of widespread exploitation remains high. Organizations are strongly urged to apply patches immediately, review their server configurations, and monitor for indicators of compromise. Given the critical nature of the vulnerability, early mitigation is crucial to prevent potential damage. For further updates and patching guidance, please refer to the official Apache Tomcat security advisories.