Apache Tomcat has disclosed a new critical vulnerability, CVE-2025-24813, which affects multiple versions due to improper handling of partial PUT requests and path equivalence flaws. This unauthenticated remote code execution (RCE) vulnerability allows threat actors to exploit Apache Tomcat without requiring valid credentials, significantly increasing the attack surface. Once exploited, attackers can bypass security controls, overwrite files, and execute arbitrary code on vulnerable servers, posing a severe risk to organizations. The impact extends to confidentiality, integrity and availability, making this a high-priority security threat. Given its severity, the National Vulnerability Database (NVD) has assigned it a CVSS score of 9.8 (Critical). Immediate mitigation steps, such as upgrading to a patched version, disabling partial PUT support, and restricting unauthorized file uploads, are strongly recommended.

Vulnerability Type (CWE)

CWE-44 – Path Equivalence: ‘file.name‘ (Internal Dot)

Derived from Improper path equivalence checks when handling filenames with internal dots (…) and PUT requests. Incorrect path resolution allows attackers to bypass security measures, overwrite files, or achieve RCE.

CWE-502 – Deserialization of Untrusted Data

Resulting from improper input sanitization when a serialized Java session file is uploaded via a partial PUT request and subsequently triggers deserialization by referencing the malicious session ID in a GET request.

CVSS Score (NIST)

Base Score: 9.8 (Critical)

Attack Vector: Network (AV:N) The attack can be carried out remotely, HTTP PUT request uploading a Java session file. Attack Complexity: Low (AC:L) No special conditions are required for exploitation, making it easy for attackers to execute.

Privileges Required: None (PR:N) No authentication or credentials are needed for exploitation, making it accessible to any attacker. User Interaction: None (UI:N) The attack does not require victims to take any action. Scope: Unchanged (S:U) The exploit only affects the targeted system and does not extend beyond its security boundaries.

Impact on Confidentiality, Integrity and Availability (CIA):

• Confidentiality – High (C:H) Severe
• Integrity – High (I:H) Severe
• Availability – High (A:H) Severe

Impacted Apache Tomcat Versions

Vulnerable Versions	Recommended Upgrade
11.0.0-M1 to 11.0.2	11.0.3 or later
10.1.0-M1 to 10.1.34	10.1.35 or later
9.0.0.M1 to 9.0.98	9.0.99 or later

Mitigation Steps

Vulnerable versions should be upgraded to a patched version as the first and most effective step in mitigating the vulnerability. If an immediate upgrade is not feasible, this vulnerability can be temporarily mitigated by:

• Reverting to the default servlet configuration by setting readonly=”true”.
• Disabling partial PUT by modifying allowPartialPut to false in conf/web.xml.
• Blocking unauthorized PUT and DELETE requests and restricting access to sensitive directories.

Exploit Process

According to (Apache), certain conditions must be met for a threat actor to successfully perform remote code execution (RCE). All of the following must be true:

• Write permissions enabled for the default servlet (disabled by default).
• Support for partial PUT requests enabled (enabled by default).
• Application using Tomcat’s file-based session persistence with the default storage location.
• Application containing a library vulnerable to deserialization attacks.

And, if all of the following conditions are met, a threat actor can view security-sensitive files and inject malicious content into them.

• Write permissions enabled for the default servlet (disabled by default).
• Support for partial PUT requests enabled (enabled by default).
• a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads.
• Attacker knowledge of the filenames of security-sensitive uploads.
• Security-sensitive files being uploaded using partial PUT requests.

According to a DarkReading article published on March 17th, 2025, a group of Wallarm researchers in Poland detected the first attack previous to the exploit being published by a Chinese forum user, iSee857. The simplified 2-step breakdown is as follows:

1. Upload a serialized Java session file: A threat actor uploads a crafted Java session file via a PUT request. By manipulating the file name and path, they exploit a path equivalence vulnerability, allowing them to place the session file in an accessible location.
2. Trigger execution: The threat actor then sends a GET request referencing the malicious session ID, triggering the deserialization of the uploaded session file. This process can potentially lead to remote code execution (RCE).

Timeline

• March 10, 2025: CVE Assignment – NVD published the first details for CVE-2025-24813.
• March 12, 2025: Exploitation in the Wild – Attacks in the wild have been reported by IONIX.
• March 15, 2025: Proof of Concept (PoC) Released.
• March 18, 2025: Detection in Vulnerability Scanners – Detection for the vulnerability has been added to Qualys.

Feedly provides a more comprehensive timeline of events.

TTPs & IOCs

Some Tactics, Techniques, and Procedures (TTPs) associated with this CVE may trigger events within a network. The following are signs that may indicate ongoing exploitation in a network environment.

• Unusual Web Requests – Watch for unexpected PUT requests, JSP file uploads, and odd user-agents in Apache Tomcat logs.
• Suspicious File Changes – Monitor for new or modified JSP/WAR files, log tampering, and unauthorized deployments in web directories.
• Abnormal Process & Network Activity – Detect Tomcat spawning shells, new outbound connections, and privilege escalation attempts.

Centripetal’s Perspective

Centripetal is actively monitoring the development of CVE-2025-24813. We recognize the critical role Apache Tomcat plays in enterprise environments and the widespread risk this vulnerability presents. While it is considered high risk, successful remote code execution (RCE) depends on specific configuration dependencies, limiting its immediate exploitability. This pattern aligns with many previous Apache Tomcat vulnerabilities, where successful exploitation has consistently relied on particular system conditions. Given the potential for severe consequences on confidentiality, integrity, and availability, we strongly urge organizations to prioritize remediation efforts.

CleanINTERNET® leverages proactive threat intelligence to stay ahead of emerging threats like CVE-2025-24813 and the adversaries attempting to exploit it. If you are a current client of Apache Tomcat and need any assistance with this advisory, please contact support@centripetal.ai

Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources

• https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
• https://nvd.nist.gov/vuln/detail/CVE-2025-24813
• https://www.cve.org/CVERecord?id=CVE-2025-24813
• https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
• https://access.redhat.com/security/cve/cve-2025-24813
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813
• https://github.com/absholi7ly/POC-CVE-2025-24813?tab=readme-ov-file#output
• https://www.ionix.io/blog/apache-tomcat-path-equivalence-vulnerability-cve-2025-24813/
• https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/
• https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/
• https://www.darkreading.com/vulnerabilities-threats/apache-tomcat-rce-vulnerability-exploit
• https://feedly.com/cve/CVE-2025-24813
• https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
• https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/#:~:text=Tomcat is widely deployed and,there’s no need to panic.