do son 
A critical vulnerability in Apache Tomcat, now actively exploited in the wild, has landed in the CISA Known Exploited Vulnerabilities Catalog with a top-tier CVSS score of 9.8. Identified as CVE-2025-24813, this remote code execution flaw puts countless web servers at risk, and it’s already being weaponized by attackers leveraging public exploit code.
This vulnerability affects Apache Tomcat versions:
- 11.0.0-M1 to 11.0.2
- 10.1.0-M1 to 10.1.34
- 9.0.0.M1 to 9.0.98
First disclosed by Apache on March 10, 2025, the bug stems from a combination of misconfigurations and dangerous defaults in Tomcat’s handling of partial PUT requests, which under specific circumstances, allows attackers to upload and execute arbitrary code without authentication.
Here’s the attack flow:
- The attacker sends a PUT request with a base64-encoded serialized Java payload. This payload is written to Tomcat’s session storage.
- A GET request is sent with a JSESSIONID cookie pointing to the malicious session file.
- Tomcat, using its file-based session persistence, deserializes the file, triggering remote code execution.
The exploit is stealthy: base64 encoding obfuscates the payload, and most traditional security tools treat PUT requests as harmless unless configured otherwise. Wallarm researchers, who first confirmed live exploitation, described the attack as “dead simple to execute”, and warned that default server settings make many deployments vulnerable out of the box.
This vulnerability is not just about a specific flaw—it’s about a pattern of risk. According to Wallarm, the real concern is Tomcat’s flawed partial PUT logic, which could lead to a broader class of RCE vulnerabilities if left unaddressed.
This vulnerability isn’t universally exploitable. It requires a confluence of specific configurations:
- Writable Default Servlet (readonly=”false”): This is typically disabled, but if enabled, it opens a door.
- Partial PUT Support (Enabled by Default): This is the crucial ingredient, allowing segmented file uploads.
- Security-Sensitive Files in Public Subdirectories: Poor file management practices exacerbate the risk.
- Known File Names: Attackers need to know the target file names.
- Partial PUT Uploads: The files must be uploaded using partial PUT requests.
Apache has released fixed versions of Tomcat:
- 11.0.3+
- 10.1.35+
- 9.0.99+
Administrators are urged to upgrade immediately. For those unable to patch right away, Apache recommends the following mitigations:
- Set
readonly="true"in the default servlet to prevent uploads. - Disable partial PUT support.
- Avoid storing sensitive files in subdirectories of public upload directories.
CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply the patch by April 22, 2025, citing confirmed in-the-wild exploitation
