What conditions are required for file access/injection exploitation?

All of the following conditions must be true: 1) Writes enabled for the default servlet (disabled by default), 2) Support for partial PUT (enabled by default), 3) A target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads, 4) Attacker knowledge of the names of security sensitive files being uploaded, and 5) The security sensitive files also being uploaded via partial PUT.

What conditions are required for remote code execution?

All of the following conditions must be true: 1) Writes enabled for the default servlet (disabled by default), 2) Support for partial PUT (enabled by default), 3) Application using Tomcat's file-based session persistence with the default storage location, and 4) Application including a library that may be leveraged in a deserialization attack.

Which Apache Tomcat versions are affected?

The affected versions are: Apache Tomcat 11.0.0-M1 to 11.0.2, Apache Tomcat 10.1.0-M1 to 10.1.34, and Apache Tomcat 9.0.0.M1 to 9.0.98.

How can I mitigate this vulnerability?

Users should apply one of the following mitigations: 1) Upgrade to Apache Tomcat 11.0.3 or later, 2) Upgrade to Apache Tomcat 10.1.35 or later, 3) Upgrade to Apache Tomcat 9.0.99 or later. Organizations should also check their systems, disable partial PUT, and update their servers.

Attack

Vulnerability in Apache Tomcat actively exploited

Q: What is the new Apache Tomcat vulnerability?

The vulnerability (CVE-2025-24813) is a design flaw in Apache Tomcat that could allow attackers to completely take over vulnerable servers with a single PUT API request. It has a CVSS score of 5.5 and is being actively exploited in the wild.

Q: What causes the Apache Tomcat vulnerability?

The flaw is caused by the mechanism with which Apache Tomcat processes PUT requests. The implementation used a temporary file based on the user-provided file name and path with the path separator replaced by '.'. This can be exploited through a specially crafted data stream that triggers an error in the processing of data deserialization.

Q: How does the exploit work?

The exploitation works by writing a file inside Tomcat's session storage directory. Because Tomcat automatically saves session data in files, the malicious payload becomes stored on disk, waiting to be deserialized.

Q: What are the consequences of successful exploitation?

Successful exploitation results in Remote Code Execution (RCE), complete takeover of the targeted server, ability to download and execute additional malware, and potential for lateral movement within networks.

published: March 17, 2025

Take action: If you are running Apache Tomcat, check and ideally disable partial PUT and writes enabled for the default servlet. That gives you a lot of time to apply regular patch cycle. Otherwise, plan a quick patch cycle.

Learn More

A vulnerability in Apache Tomcat that could allow attackers to completely take over vulnerable servers with a single PUT API request is being actively exploited in the wild.

The flaw is tracked as CVE-2025-24813 (CVSS score 5.5, later re-scored to 9.8) is caused by the mechanism with which the Apache Tomcat platform processes PUT requests. The implementation used a temporary file based on the user-provided file name and path with the path separator replaced by ".". This design flaw can be exploited through a specially crafted data stream that triggers an error in the processing of data deserialization.

Security researchers at Wallarm have explained that the exploitation works by writing a file inside Tomcat's session storage directory. Because Tomcat automatically saves session data in files, the malicious payload becomes stored on disk, waiting to be deserialized.

Exploit conditions

For security sensitive file access or injection, all of the following conditions must be true:

Writes enabled for the default servlet (disabled by default)
Support for partial PUT (enabled by default)
A target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
Attacker knowledge of the names of security sensitive files being uploaded
The security sensitive files also being uploaded via partial PUT

For remote code execution, all of the following conditions must be true:

Writes enabled for the default servlet (disabled by default)
Support for partial PUT (enabled by default)
Application using Tomcat's file-based session persistence with the default storage location
Application including a library that may be leveraged in a deserialization attack

Successful exploitation of this vulnerability results in remote Code Execution (RCE), complete takeover of the targeted server, ability to download and execute additional malware and potential for lateral movement within networks

Affected versions:

Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98

Users of affected versions should apply one of the following mitigations:

Upgrade to Apache Tomcat 11.0.3 or later
Upgrade to Apache Tomcat 10.1.35 or later
Upgrade to Apache Tomcat 9.0.99 or later

Organizations using Apache Tomcat should check their systems, disable partial PUT and update their servers

Vulnerability in Apache Tomcat actively exploited

Read More
Oracle patches actively exploited flaw in Agile PLM
A new stealth backdoor into vulnerable Confluence persists …
Vulnerable Popup Builder Wordpress plugin attacked by malware
CISA Mandates Immediate Patching for Actively Exploited SolarWinds …
F5 Warns of Critical BIG-IP APM Zero-Day Exploited …