A security flaw in Apache Tomcat, which was recently disclosed, has been actively exploited in the wild just 30 hours after a public proof-of-concept was released.
The vulnerability, identified as CVE-2025-24813, affects the following versions of Apache Tomcat:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
This vulnerability can lead to remote code execution or information disclosure under specific conditions, including:
- Writes enabled for the default servlet (which is disabled by default)
- Support for partial PUT requests (which is enabled by default)
- A target URL for security-sensitive uploads that is a sub-directory of a target URL for public uploads
- Attacker knowledge of the names of security-sensitive files being uploaded
- The security-sensitive files are also being uploaded via partial PUT requests
Successful exploitation of this vulnerability could allow a malicious user to view security-sensitive files or inject arbitrary content into those files using a PUT request.
Furthermore, an attacker could achieve remote code execution if the following conditions are met:
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT requests (enabled by default)
- The application uses Tomcat’s file-based session persistence with the default storage location
- The application includes a library that may be leveraged in a deserialization attack
According to an advisory released by the project maintainers last week, the vulnerability has been resolved in Tomcat versions 9.0.99, 10.1.35, and 11.0.3, which can be found here.
However, in a concerning development, the vulnerability is already being exploited in the wild, according to Wallarm.
“This attack exploits Tomcat’s default session persistence mechanism along with its support for partial PUT requests,” the company explained.
“The exploit works in two steps: The attacker uploads a serialized Java session file via a PUT request. The attacker triggers deserialization by referencing the malicious session ID in a GET request.”
In other words, the attacks involve sending a PUT request containing a Base64-encoded serialized Java payload that is written to Tomcat’s session storage directory, which is then executed during deserialization by sending a GET request with the JSESSIONID pointing to the malicious session.
Wallarm also noted that the vulnerability is easy to exploit and requires no authentication, with the only prerequisite being that Tomcat uses file-based session storage.
“While this exploit abuses session storage, the bigger issue is partial PUT handling in Tomcat, which allows uploading practically any file anywhere,” the company added. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage.”
Users running affected versions of Tomcat are advised to update their instances as soon as possible to mitigate potential threats.
