The renowned server software Apache Tomcat has recently disclosed CVE-2025-24813, a critical vulnerability that, alarmingly, saw the emergence of a proof-of-concept (PoC) exploit within just 30 hours of its public disclosure. Shortly thereafter, threat actors began actively exploiting the flaw to launch attacks.
This vulnerability primarily affects the following versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
While Apache Tomcat has released patches to address the issue, remediation is contingent upon users upgrading to the latest versions.
According to the official security advisory, the flaw allows for remote code execution (RCE) or sensitive data disclosure under specific conditions. If successfully exploited, an attacker could access confidential files or inject arbitrary content into these files via PUT requests.
In extreme scenarios, a specially crafted request could lead to full remote code execution, posing a severe threat to Apache Tomcat servers. Potential consequences include:
- Planting web shells for persistent access
- Conducting covert surveillance
- Deploying additional malicious scripts
What is particularly concerning is the astonishing speed of exploitation—a working PoC and active attacks were observed within just 30 hours of the vulnerability’s disclosure. Attackers are leveraging Apache Tomcat’s default session persistence mechanism in conjunction with its handling of specific PUT requests.
The attack unfolds in two distinct phases:
- Uploading a Serialized Java Session File
- The attacker issues a PUT request containing a Base64-encoded, serialized Java payload, which is written to Tomcat’s session storage directory.
- Triggering Remote Code Execution
- The attacker subsequently sends a GET request referencing the malicious session ID (JSESSIONID), thereby triggering deserialization and executing the embedded payload.
This highly trivial exploit is particularly dangerous because it requires no authentication whatsoever. The sole prerequisite is that Tomcat is configured to use file-based session storage. Moreover, security researchers warn that attackers may soon refine their approach, shifting tactics to upload malicious JSP files, modify configurations, and implant backdoors outside the session storage directory.
Apache Tomcat versions 9.0.99, 10.1.35, and 11.0.3 have already patched this vulnerability. Organizations relying on Tomcat are strongly urged to upgrade immediately to mitigate the risk.
Failure to patch in time could prove catastrophic—if attackers have already established a persistent backdoor, merely upgrading the server will not be sufficient to neutralize the threat. Act now before it’s too late.
