A critical security vulnerability identified as CVE-2025-24813 has been discovered in Apache Tomcat, a widely used open-source Java servlet container. This flaw is actively being exploited in the wild, allowing attackers to execute arbitrary code on affected servers. The vulnerability affects the following versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
The vulnerability arises when specific conditions are met:
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads
- Attacker knowledge of the names of security-sensitive files being uploaded
- The security-sensitive files are also being uploaded via partial PUT
Exploitation of this vulnerability allows malicious users to view or inject arbitrary content into security-sensitive files using a PUT request. Furthermore, remote code execution is possible if additional conditions are met, including the use of Tomcat’s file-based session persistence with the default storage location and the presence of a library that can be leveraged in a deserialization attack.
The Apache Tomcat team has addressed this issue in versions 9.0.99, 10.1.35, and 11.0.3. However, within 30 hours of public disclosure, a proof-of-concept (PoC) exploit was released, leading to active exploitation attempts. Security researchers have observed that attackers are leveraging Tomcat’s default session persistence mechanism along with its support for partial PUT requests. The exploit involves uploading a serialized Java session file via a PUT request and then triggering deserialization by referencing the malicious session ID in a GET request.
This attack is particularly concerning because it requires no authentication and is relatively simple to execute. The primary prerequisite is that Tomcat uses file-based session storage. While current exploits abuse session storage, there is a broader issue with partial PUT handling in Tomcat, which allows uploading practically any file anywhere. This could enable attackers to upload malicious JSP files, modify configurations, and plant backdoors outside session storage.
Mitigation Steps:
- Immediate Update: Administrators running affected versions of Apache Tomcat should upgrade to the fixed versions (9.0.99, 10.1.35, or 11.0.3) as soon as possible to mitigate potential threats.
- Disable Writes for Default Servlet: Ensure that writes are disabled for the default servlet by keeping the ‘readonly’ initialization parameter set to its default value of ‘true’.
- Review Partial PUT Support: Evaluate the necessity of supporting partial PUT requests in your environment. If not required, consider disabling this feature to reduce the attack surface.
- Secure Session Persistence: If using Tomcat’s file-based session persistence, ensure that the storage location is secured and not accessible to unauthorized users.
- Audit and Monitor: Regularly audit server configurations and monitor logs for unusual activities, such as unexpected PUT requests or modifications to sensitive files.
Conclusion:
The active exploitation of CVE-2025-24813 underscores the critical importance of timely patch management and vigilant security practices. Organizations utilizing Apache Tomcat should prioritize the implementation of the recommended mitigation steps to protect their systems from potential compromise. Staying informed about security advisories and promptly applying updates are essential components of maintaining a robust security posture