Critical Remote Code Execution (RCE) Vulnerability in Apache Tomcat (CVE-2025-24813)

March 18, 2025
CVE, Cyber Security
HawkEye Hunting Cyber Adversaries

A newly discovered critical remote code execution (RCE) vulnerability (CVE-2025-24813) has been identified in Apache Tomcat, allowing attackers to fully compromise vulnerable servers with a single PUT API request.

Impact

Attackers can leverage this vulnerability to upload malicious Java session files via the PUT API request. By subsequently triggering the payload through a GET request, they can execute arbitrary code on the affected Tomcat server. Since no authentication is required, this vulnerability presents a severe risk to organizations using affected versions of Apache Tomcat.

Affected Versions

The following versions of Apache Tomcat are affected:

  • Apache Tomcat 11.0.0-M1 to 11.0.2
  • Apache Tomcat 10.1.0-M1 to 10.1.34
  • Apache Tomcat 9.0.0.M1 to 9.0.98

Vulnerability Exploitation Mechanism

The attack exploits the default session persistence mechanism and partial PUT request handling in Apache Tomcat:

  1. Malicious Session Upload: The attacker sends a PUT request containing a serialized Java session file with an embedded malicious payload. This file is stored in Tomcat’s session directory.
  2. Execution via GET Request: The attacker sends a GET request with a manipulated JSESSIONID, triggering the deserialization of the malicious session file and executing arbitrary Java code.

Exploitation Conditions

For this vulnerability to be successfully exploited, the following four conditions must be met:

  1. DefaultServlet Write Access Enabled: The application must have the write functionality enabled in the DefaultServlet. By default, this feature is disabled, but if it is manually enabled, it allows attackers to write arbitrary files.
  2. Partial PUT Requests Supported: The server must support Partial PUT requests, enabling the writing of malicious serialized data into session files. This feature is enabled by default in Apache Tomcat.
  3. File-Based Session Persistence in Use: The application must rely on Tomcat’s default file-based session persistence mechanism for storing sessions. This requires additional configuration but remains a common practice in some deployments.
  4. Presence of a Vulnerable Deserialization Library: The application must include a library that contains a known deserialization vulnerability, such as commons-collections, which is often found in the classpath. If such a library is present, attackers can exploit deserialization chains to achieve remote code execution.

If all these conditions are met, an attacker can successfully exploit the vulnerability to execute arbitrary code on the affected Tomcat instance or extract sensitive data.

Mitigation Measures

Organizations are advised to immediately upgrade Apache Tomcat to patched versions:

  • Apache Tomcat 11.0.3 and later
  • Apache Tomcat 10.1.35 and later
  • Apache Tomcat 9.0.99 and later

References

https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq 

https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html

You may also like

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Contact Us

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

Contact Us
Linkedin Twitter Facebook Instagram Youtube

HawkEye

Packages

CSOC

Explore

© 2025 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
Contact
This is a staging environment