The New Zealand Computer Emergency Response Team (CERT NZ) has issued an urgent security advisory warning of a critical vulnerability, CVE-2025-24813, that affects several versions of Apache Tomcat. This Apache Tomcat vulnerability presents serious security risks, including remote code execution (RCE), information disclosure, and content corruption.
The vulnerability, CVE-2025-24813, is found in Apache Tomcat versions 9.x, 10.x, and 11.x, with certain configurations making systems particularly susceptible to attack. According to the advisory, this flaw could allow an unauthenticated attacker to upload a malicious serialized payload to a vulnerable server. If specific conditions are met, the attacker can exploit this flaw to execute arbitrary code on the server.
This Apache Tomcat vulnerability is linked to the default servlet of Apache Tomcat, which handles HTTP requests. A malicious attacker could exploit improper handling of file uploads by the default servlet to execute harmful code or gain access to sensitive information. The issue is particularly concerning as it could lead to remote code execution (RCE) or allow attackers to manipulate or corrupt sensitive data.
Affected Versions due to Apache Tomcat Vulnerability
The vulnerability affects the following versions of Apache Tomcat:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0.M1 to 9.0.98
These versions are vulnerable to CVE-2025-24813 if they meet additional conditions outlined in the vendor advisory. Applications running on these versions are at risk if they allow file uploads with partial PUT support enabled, especially if attackers can manipulate the file paths and exploit insecure configurations.
How Attackers Could Exploit CVE-2025-24813
Exploiting CVE-2025-24813 requires specific conditions. To view sensitive files or inject malicious content into these files, the following conditions must be met:
- Writes enabled for the default servlet (disabled by default).
- Partial PUT support enabled (enabled by default).
- A target URL for sensitive uploads located within a sub-directory of public uploads.
- Knowledge of the names of sensitive files being uploaded.
- The vulnerable files also being uploaded via partial PUT.
For an attacker to gain remote code execution, additional conditions must be met:
- The application is using Tomcat’s file-based session persistence with the default storage location.
- The application includes a library that could be used in a deserialization attack.
The New Zealand CERT also noted that a proof-of-concept (PoC) and reports of active exploitation have already surfaced, making this flaw even more pressing for those using vulnerable versions.
Why You Should Be Concerned
The severity of CVE-2025-24813 cannot be overstated. Given that it allows for remote code execution and information disclosure, organizations could face severe consequences, including the unauthorized execution of arbitrary code, exposure of sensitive data, or potential corruption of vital application files.
The flaw is particularly dangerous as it is relatively easy for attackers to exploit, especially when all the conditions for partial PUT support and other configurations are met. For organizations that rely on Apache Tomcat to serve Java applications, the risk of exposure is significant, and immediate action is required.
How to Protect Your Systems
To mitigate the risks associated with CVE-2025-24813, Apache Tomcat users are advised to upgrade their installations to secure versions. The following versions have fixed the vulnerability:
- Apache Tomcat 11.0.3 or later
- Apache Tomcat 10.1.35 or later
- Apache Tomcat 9.0.99 or later
Upgrading to one of these versions will ensure that systems are no longer vulnerable to this flaw. Additionally, system administrators should follow best practices for securing their Tomcat configurations, including disabling unnecessary features and ensuring that file upload capabilities are appropriately configured.
Conclusion
CVE-2025-24813 is actively being exploited, with a proof of concept confirmed by the NCSC. To mitigate risks, organizations should upgrade to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, disable unnecessary features, monitor for suspicious activity, and apply security patches promptly. As Apache Tomcat is widely used, keeping systems updated is crucial to avoid remote code execution, information disclosure, and content corruption.
