Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released

A critical remote code execution (RCE) vulnerability, CVE-2025-24813, is now being actively exploited in the wild, allowing attackers to take over vulnerable Apache Tomcat servers with a single PUT API request, according to a report from Wallarm.

The exploit, originally published by a user on a Chinese forum, leverages Tomcat’s default session persistence mechanism and its support for partial PUT requests. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers,” the report emphasizes.

The attack unfolds in two steps:

1. The attacker uploads a malicious serialized Java session file via a PUT request. This request writes a file inside Tomcat’s session storage directory, storing the malicious payload on disk.
2. The attacker triggers deserialization and executes the embedded Java code by sending a GET request with the JSESSIONID pointing to the malicious session.

The vulnerability can be exploited by an unauthenticated attacker under specific conditions:

• The application has servlet write enabled (disabled by default).
• Tomcat uses file session persistence and a default storage location.
• The application contains a deserialization exploitation library.

The report highlights the ease of execution and the dangerous nature of this exploit: “This attack is dead simple to execute and requires no authentication.” The widespread use of file-based session storage in Tomcat deployments increases the potential impact.

The report also notes that the base64 encoding of the payload allows the exploit to bypass most traditional security filters, making detection challenging for Web Application Firewalls (WAFs). “Most WAFs completely miss this attack because: The PUT request looks normal and doesn’t contain obvious malicious content. The payload is base64-encoded, preventing pattern-based detection. The attack is two-step, where the harmful part only executes during deserialization. Most WAFs do not deeply inspect uploaded files or track multi-step exploits,” the report explains.

The vulnerability affects the following Apache Tomcat versions:

• 11.0.0-M1 <= Apache Tomcat <= 11.0.2
• 10.1.0-M1 <= Apache Tomcat <= 10.1.34
• 9.0.0.M1 <= Apache Tomcat <= 9.0.98

The following versions are unaffected:

• Apache Tomcat >= 11.0.3
• Apache Tomcat >= 10.1.35
• Apache Tomcat >= 9.0.99

Users who cannot immediately upgrade can take the following temporary protective measures:

1. Set the readonly parameter in the conf/web.xml file to true or comment it out (if it does not affect services).
2. Disable the PUT method and restart the Tomcat service.
3. Set org.apache.catalina.session.PersistentManager to false.

Related Posts:

• CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
• Apache Hadoop Command Injection Vulnerability
• Multiple RCE Vulnerabilities in Foxit PDF Reader and Editor