Summary
CVE-2025-24813 is a critical unauthenticated remote code execution (RCE) vulnerability in Apache Tomcat’s partial PUT feature. Exploitation enables attackers to execute arbitrary code on affected servers under specific, non-default configurations. Immediate patching or mitigation is required to prevent compromise of business-critical systems.
Urgent Actions Required
- Upgrade Apache Tomcat to a fixed version: 9.0.99+, 10.1.35+, or 11.0.3+
- Disable partial PUT requests in conf/web.xml
- Set the default servlet to read-only
- Disable file-based session persistence if unused
- Restrict file and directory permissions
Which Systems Are Vulnerable to CVE-2025-24813?
Technical Overview
- Vulnerability Type: Remote Code Execution (RCE) via HTTP Partial PUT Path Equivalence Bypass
- Affected Software/Versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0.M1 to 9.0.98
- Apache Tomcat 8.5.x (8.5.0–8.5.98, 8.5.100 except 8.5.99)
- Attack Vector: Network/Remote (Unauthenticated HTTP PUT and GET requests)
- CVSS Score: 9.8
- Exploitability Score:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available - Apache Tomcat® - Apache Tomcat 11 vulnerabilities
How Does the CVE-2025-24813 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-24813?
Vulnerability Root Cause:
This flaw is caused by Apache Tomcat mishandling partial PUT requests—it swaps slashes for dots in filenames, which attackers abuse to save files outside intended folders. If file-based session storage is enabled, they can upload a malicious serialized Java object to a session file. When Tomcat reads (deserializes) this file, it executes the embedded code, giving attackers remote control over the server.
How Can You Mitigate CVE-2025-24813?
If immediate patching is delayed or not possible:
- Disable partial PUT requests by modifying conf/web.xml to prevent file uploads via partial PUT.
- Set the readonly="true" attribute in the DefaultServlet configuration to block write operations.
- Disable file-based session persistence if your application does not require it.
- Monitor and block suspicious HTTP PUT and GET requests, especially those targeting session storage, using Web Application Firewalls (WAF) or load balancers.
- Restrict access to Apache Tomcat servers to trusted networks only.
- Regularly review access logs for unusual PUT or GET requests, which may indicate possible exploit attempts.
- Implement strict file and directory permission controls to limit unauthorized file modifications.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Application servers and web servers running vulnerable Apache Tomcat versions (9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2)
- Cloud services utilizing affected Tomcat versions
Business-Critical Systems at Risk:
- Customer-facing web applications hosted on Tomcat
- API gateways and middleware services using vulnerable Tomcat instances
- E-commerce platforms relying on affected Tomcat versions
- Internal business applications such as ERP and CRM integrations
- CI/CD pipeline components dependent on Tomcat
Exposure Level:
- Internet-facing servers with default or weak configurations allowing partial PUT requests
- Internal servers with file-based session persistence enabled and write permissions on the default servlet
- Not limited to public-facing systems — internal network exposure can also lead to compromise if access controls are weak
Will Patching CVE-2025-24813 Cause Downtime?
- Patch application impact: The impact is low to moderate based on how many Tomcat servers you have. Installing patches needs a server restart, causing short service downtime. Schedule about 15–30 minutes of maintenance per server to reduce disruption.
- Mitigation (if immediate patching is not possible): You can lower the risk by disabling partial PUT, making the DefaultServlet read-only, limiting access to trusted networks, and watching for suspicious HTTP requests at the firewall or load balancer. But these are only temporary fixes—systems stay vulnerable until patched.
How Can You Detect CVE-2025-24813 Exploitation?
Exploitation Signatures:
- MITRE ATT&CK Mapping:
- T1190 – Exploit Public-Facing Application
- T1059 – Command and Scripting Interpreter
- T1505.003 – Server Software Component: Web Shell
Indicators of Compromise (IOCs/IOAs):
- Behavioral Indicators:
- PUT requests with Content-Type: application/octet-stream targeting .jsp, .ser, or .war files
- Base64-encoded Java serialized objects in HTTP request bodies
- Access attempts to /SESSIONS.ser or unusual filenames like ..;/file.jsp
- Unusual GET requests immediately after PUT, containing manipulated JSESSIONID cookies
- Unexpected file creation or modification in Tomcat's work/, session/, or webapps/ directories
- Tomcat process spawning a shell or script interpreter (e.g., /bin/sh, cmd.exe)
Alerting Strategy:
- Priority: High (Critical if internet-facing)
- Trigger alerts for:
- Any PUT requests with application/octet-stream targeting .jsp, .ser, or suspicious paths
- File creation in Tomcat directories not tied to normal deployments
- Session deserialization activity tied to new or unknown JSESSIONIDs
- Repeated access from IPs listed in known IOC table
Remediation & Response
Patch/Upgrade Instructions:
- Apache Tomcat Patch Guidance:
Official Security Advisory Link: https://tomcat.apache.org/security-11.html
Mitigation Steps if No Patch: Set the default servlet to readonly, restrict external access, implement WAF rules to block suspicious PUT requests.
Remediation Timeline: Immediate (within 24 hours for internet-facing systems).
Rollback Plan: Ensure backup of Tomcat configuration and application data before patching; validate service functionality post-upgrade.
Incident Response Considerations:
- Quickly isolate affected Apache Tomcat servers to stop the attack from spreading.
- Check Tomcat logs for unusual PUT and GET requests, especially ones targeting session files or with base64-encoded data.
- Collect forensic evidence, including uploaded files, process creation logs, and modified session files (e.g., SESSIONS.ser).
- Identify signs of RCE or file modification, such as unexpected .jsp uploads or altered configuration files.
- After patching, strengthen WAF/IDS rules, disable unnecessary HTTP methods, and audit file permissions to prevent future abuse.
- Enable logging and monitoring for Tomcat session directories and webroot paths to detect re-exploitation attempts.
Compliance & Governance Notes
Standards Impacted:
- ISO 27001 control A.12.6.1
- NIST 800-53 SI-2
- PCI-DSS Requirement 6.2
- HIPAA Security Rule 164.308(a)(8)
- GDPR Article 32
Audit Trail Requirement:
Log all HTTP PUT/GET requests, session file access, and administrative changes to Tomcat configuration.
Policy Alignment:
Review and update web server hardening policies to enforce least privilege and restrict write access to servlets.
Where Can I Find More Information on CVE-2025-24813?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 (Critical) | Critical severity with maximum impact and minimal exploit complexity |
| Attack Vector | Network | Vulnerability is exploitable over the network without physical access |
| Attack Complexity | Low | Exploitation requires no special conditions |
| Privileges Required | None | Remote attacker does not need any privileges |
| User Interaction | None | No user interaction is necessary to trigger the exploit |
| Scope | Unchanged | Impact is contained within Tomcat, not expanding to other components |
| Confidentiality Impact | High | Can lead to full data exposure |
| Integrity Impact | High | Enables unauthorized modification or injection of content |
| Availability Impact | High | May result in system compromise or denial of service |
