Active Exploitation of Apache Tomcat CVE-2025-24813 Vulnerability

Executive Summary

On March 10, 2025, a critical remote code execution vulnerability was found within Apache Tomcat. Identified as CVE-2025-24813, this vulnerability exploits how the server handles partial PUT requests when certain conditions are met. Applying the latest security patches mitigates the issue in affected versions of the web server.

Background

Apache Tomcat is an open-source web server and Java servlet container for running Java applications [1]. CVE-2025-24813 stems from a flaw in the servlet’s write functionality, which is disabled by default. When this is enabled, this disables the write access security and allows attackers to perform unauthorized actions. If specific conditions are satisfied, this can lead to the execution of partial PUT requests, potentially enabling remote code execution (RCE). However, successful exploitation requires prerequisites, making the attack relatively complex to execute.

Exploitation

The exploitation of CVE-2025-24813 takes advantage of partial PUT requests. The attacker sends a PUT request to the server that triggers RCE when deserialized [3]. This payload contains a Base64-encoded serialized Java file that is automatically saved in Tomcat’s session storage directory, waiting to be deserialized. The attacker then sends a GET request with the JSESSIONID cookie pointing to the malicious session to have the payload deserialized, gaining access to the server. 

To execute RCE or access sensitive security information and inject content into those files, several conditions must be met. For RCE, having the default servlet enabled and the partial PUT support enabled, the application must use Tomcat’s file-based session persistence with the default storage location, and the application must have a library that can be used in a deserialization attack. For unauthorized access to sensitive files, having the default servlet enabled and the partial PUT support enabled, the target URL must reside in a subdirectory of a public uploads directory, the attacker knows the filenames of the uploaded security-sensitive files, and the security-sensitive files are uploaded using partial PUT requests. These flawed configurations leave systems susceptible to compromise.

Significance and Impact

Recent active exploitation attempts related to CVE-2025-24813 have been seen across multiple countries. Since March 17, 2025, GreyNoise has observed exploitation attempts from four unique IP addresses [6]. As of April 1, 2025, that number has increased to seven, with the most recent activity originating from Switzerland (IP: 185.208.158.206) [2]. Most of these attempts have targeted systems located in the United States, Japan, India, South Korea, and Mexico. The increasing number of attack attempts, especially across different geographic regions, raises major security concerns. This indicates that more attacks will continue to happen along with adversaries actively seeking vulnerable systems.

Mitigation

Apache Tomcat versions affected by CVE-2025-24813 have been fixed in versions 11.0.3, 10.1.35, and 9.0.99. If no supported update is available or possible, it is recommended to restrict access to the Tomcat server to reduce exposure. It’s possible to use a detection script provided by Mortem to identify Apache Tomcat vulnerabilities related to CVE-2025-24813 [4]. Mortem has also provided a mitigation script to enhance and harden security in the web server [5]. Other mitigations include monitoring logs and implementing web application rules for suspicious activity. With these security measures in place, it decreases the chances of exploitation.

Conclusion

The active exploitation of CVE-2025-24813 has escalated the vulnerability to a much wider scale. Vulnerable Apache Tomcat systems have enabled RCE, unauthorized access to sensitive information, and the execution of malicious code. Exploitation attempts have increased in multiple regions. Applying latest patches and proactive security mitigation prevents further compromise.

References

[1] Akamai Security Intelligence Group. (2025, March 20). “Detecting and Mitigating Apache Tomcat CVE-2025-24813.” Akamai. https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations

[2] GreyNoise. (2025, March). “Apache Tomcat partial PUT CVE-2025-24813 RCE Attempt.” GreyNoise. https://viz.greynoise.io/tags/apache-tomcat-partial-put-cve-2025-24813-rce-attempt?days=1

[3] Insikt Group. (2025, March 28). “Apache Tomcat: CVE-2025-24813.” Recorded Future. https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis

[4] Mortem. (2025, March 18). “CVE-2025-24813: Detect Apache Tomcat RCE.” Vicarius. https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce

[5] Mortem. (2025, March 18). “CVE-2025-24813: Mitigate Apache Tomcat RCE.” Vicarius. https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce

[6] Stone, N. (2025, March 20). “GreyNoise Observes Active Exploitation of Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813).” GreyNoise. https://www.greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813