Critical Apache Tomcat Vulnerability Enables Remote Code Execution
A critical security vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2 has been identified. This flaw arises from improper handling of file paths containing internal dots, leading to potential remote code execution (RCE), information disclosure, or unauthorized content modification.
Technical Description
This critical vulnerability in Apache Tomcat allows attackers to manipulate uploaded files via partial PUT requests, leading to remote code execution (RCE), information disclosure, or unauthorized file modifications. The flaw arises from improper validation of file paths containing internal dots (..), enabling attackers to bypass security controls. The vulnerability is exploitable when the default servlet has write permissions (readonly=”false”) and partial PUT requests are enabled, allowing attackers to append or overwrite sensitive files within publicly writable directories.
If Tomcat’s file-based session persistence is active, attackers can upload malicious serialized Java objects, triggering deserialization-based RCE via a crafted GET request, leading to full server compromise. Within 30 hours of disclosure, PoC exploits emerged, and active attacks were reported, putting unpatched systems at immediate risk. Given Tomcat’s widespread use in enterprise environments and cloud platforms, this vulnerability could cause data breaches, service disruptions, and security failures.
Impact
The exploitation of CVE-2025-24813 can have severe consequences if an attacker successfully manipulates security-sensitive files, they can alter critical configurations, inject malicious code, or compromise authentication mechanisms. In cases where file-based session persistence is enabled, the vulnerability allows an attacker to upload malicious serialized Java objects, leading to full server compromise upon deserialization. A successful attack could disrupt business operations, expose confidential data, and lead to compliance violations. Given that exploitation has already been observed in the wild, organizations running affected Tomcat versions must apply mitigations immediately to prevent potential breaches.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Initial Access / Persistence |
| Technique Name | Exploitation of Public-Facing Application |
| Sub Technique Name | File Upload Vulnerability via Partial PUT Request |
| Attack Type | Remote Code Execution (RCE), Unauthorized File Modification, Information Disclosure |
| Targeted Applications | Apache Tomcat (Versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2) |
| Region Impacted | Global |
| Industry Impacted | All |
| IOC’s | NA |
| CVE | CVE-2025-24813 |
Recommended Actions
To mitigate, administrators must:
- Upgrade Tomcat (0.99, 10.1.35, or 11.0.3)
- Set readonly=”true” in xml
- Disable partial PUT requests
- Ensure sensitive files are not stored in public directories
- Monitor suspicious PUT requests and implement intrusions to prevent exploitation.