Apache Tomcat Vulnerability Exploited to Execute Malicious Arbitrary Code on Servers

A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-24813, is being actively exploited in Apache Tomcat servers.

Critical RCE Flaw in Apache Tomcat

The flaw allows attackers to upload malicious files via unauthenticated HTTP PUT requests, followed by a GET request to trigger deserialization, leading to arbitrary code execution.

Affected versions include Tomcat 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2.

Patched versions (9.0.99, 10.1.35, and 11.0.3) were released, but exploitation began within 30 hours of disclosure, with proof-of-concept (PoC) exploits circulating publicly.

Exploitation and Attack Patterns

Attackers leverage partial PUT requests to upload serialized payloads to writable directories, often targeting file-based session persistence.

Successful exploitation requires non-default configurations, such as enabled default servlet write permissions and deserialization-vulnerable libraries.

GreyNoise observed attacks originating from Latvia, Italy, the U.S., and China, with 70% targeting U.S. systems.

According to the Report, payloads are often obfuscated with Base64 to evade detection.

Organizations should upgrade to patched versions or disable partial PUT support and restrict write permissions.

Monitoring for unexpected JSP files or PUT/GET requests in logs is advised.

Security firms like Akamai and Cloudflare note that exploitation requires specific server configurations, limiting widespread impact.

However, the ease of exploitation and Tomcat’s widespread use make this a high-priority threat.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!