Critical Apache Tomcat Vulnerability Enables Remote Code Execution

A critical security vulnerability affecting Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2 has been identified. This flaw arises from improper handling of file paths containing internal dots, leading to potential remote code execution (RCE), information disclosure, or unauthorized content modification.

Technical Description

This critical vulnerability in Apache Tomcat allows attackers to manipulate uploaded files via partial PUT requests, leading to remote code execution (RCE), information disclosure, or unauthorized file modifications. The flaw arises from improper validation of file paths containing internal dots (..), enabling attackers to bypass security controls. The vulnerability is exploitable when the default servlet has write permissions (readonly=”false”) and partial PUT requests are enabled, allowing attackers to append or overwrite sensitive files within publicly writable directories.

If Tomcat’s file-based session persistence is active, attackers can upload malicious serialized Java objects, triggering deserialization-based RCE via a crafted GET request, leading to full server compromise. Within 30 hours of disclosure, PoC exploits emerged, and active attacks were reported, putting unpatched systems at immediate risk. Given Tomcat’s widespread use in enterprise environments and cloud platforms, this vulnerability could cause data breaches, service disruptions, and security failures.

Impact

The exploitation of CVE-2025-24813 can have severe consequences if an attacker successfully manipulates security-sensitive files, they can alter critical configurations, inject malicious code, or compromise authentication mechanisms. In cases where file-based session persistence is enabled, the vulnerability allows an attacker to upload malicious serialized Java objects, leading to full server compromise upon deserialization. A successful attack could disrupt business operations, expose confidential data, and lead to compliance violations. Given that exploitation has already been observed in the wild, organizations running affected Tomcat versions must apply mitigations immediately to prevent potential breaches.

IOC and Context Details

Topics Details
Tactic Name Initial Access / Persistence
Technique Name Exploitation of Public-Facing Application
Sub Technique Name File Upload Vulnerability via Partial PUT Request
Attack Type Remote Code Execution (RCE), Unauthorized File Modification, Information Disclosure
Targeted Applications Apache Tomcat
Versions:
  • 9.0.0-M1 to 9.0.98
  • 10.1.0-M1 to 10.1.34
  • 11.0.0-M1 to 11.0.2
Region Impacted Global
Industry Impacted All
IOC’s NA
CVE CVE-2025-24813

Recommended Actions

To mitigate, administrators must:

  • Upgrade Tomcat (9.0.99, 10.1.35, or 11.0.3)
  • Set readonly=”true” in web.xml
  • Disable partial PUT requests
  • Ensure sensitive files are not stored in public directories
  • Monitor suspicious PUT requests and implement intrusions to prevent exploitation.

References

https://tomcat.apache.org/security-11.html

Let's Talk Today
Let's Talk Today

Reimagine possiblities that lead with agility and deliver at scale

Solutions

Digital SolutionsCloudAsset Performance ManagementMicrosoft Business ApplicationsCybersecurityIT InfrastructureManaged IT Services

Industries

Public SectorHealthcareBanking & Financial ServicesEnergy & UtilitiesEnterprisesCitiesTransportationTelecommunication

Company

About usOur HistoryGlobal PresenceAwards & RecognitionsLeadershipCorporate Social Responsibility

Insights

Resources

News & Press ReleaseEvents