Security researchers have confirmed that a critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited in the wild.
The vulnerability, which enables attackers to take control of servers with a simple PUT request, was disclosed last week, and proof-of-concept exploits were published on GitHub merely 30 hours later.
The critical flaw affects multiple versions of Apache Tomcat: 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. First disclosed by Apache on March 10, 2025, the vulnerability allows attackers to view or inject arbitrary content on security-sensitive files under specific conditions.
Wallarm security researchers have confirmed active exploitation attempts, warning that traditional security tools fail to detect these attacks because the PUT requests appear normal and malicious content is obfuscated using base64 encoding.
Exploitation Mechanism
The attack leverages Tomcat’s default session persistence mechanism along with its support for partial PUT requests in a two-step process:
Step 1: Uploading Malicious Code
The attacker sends a PUT request containing a base64-encoded serialized Java payload, which gets saved to Tomcat’s session storage. This request appears innocuous to most security filters, as the malicious payload is effectively hidden through encoding.
Step 2: Triggering Execution
Once the malicious file is uploaded, the attacker sends a GET request with a JSESSIONID cookie pointing to the uploaded session file. This forces Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker.
“This attack is dead simple to execute and requires no authentication,” explains Wallarm in their analysis. “The only requirement is that Tomcat is using file-based session storage, which is common in many deployments.”
Traditional Web Application Firewalls (WAFs) struggle to detect this attack for several reasons:
- The initial PUT request looks normal without obvious malicious signatures
- Base64 encoding enables the payload to bypass pattern-based detection
- The attack unfolds in multiple steps, with execution occurring during deserialization
- Most security tools don’t deeply inspect uploaded files or track multi-step attacks.
User iSee857 created a GitHub repository containing exploit code. The repository features a Python script that can check for vulnerability across multiple targets.
Mitigations
Apache recommends that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which contain patches for CVE-2025-24813.
For organizations unable to update immediately, alternative mitigations include:
- Reverting to the default servlet configuration (readonly=”true”)
- Turning off partial PUT support
- Avoiding storing security-sensitive files in subdirectories of public upload paths
Security experts warn that this is likely just the beginning, as attackers will soon evolve their tactics beyond session storage exploitation. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,” cautions Wallarm.
The rapid exploitation of this vulnerability highlights the critical importance of proactive security measures and prompt patching in today’s threat landscape.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
