.webp?w=1600&resize=1600,900&ssl=1 "Hackers Exploiting Apache Tomcat Servers")
Threat actors actively exploit a critical vulnerability in Apache Tomcat, tracked as CVE-2025-24813, which could enable unauthorized remote code execution (RCE) on vulnerable servers.
The vulnerability, first disclosed on March 10, 2025, has already seen exploitation attempts beginning just 30 hours after the public release of proof-of-concept (PoC) code.
GreyNoise Intelligence has identified four unique IP addresses that have been attempting to exploit this vulnerability since March 17, 2025, with exploitation attempts observed as early as March 11.
.png
)
These attackers are leveraging a partial PUT method to inject malicious payloads, which could potentially lead to arbitrary code execution on affected systems.
“Exploitation is already underway, with attack attempts spanning multiple countries. Given Apache Tomcat’s widespread deployment, these early signs of activity suggest more exploitation is likely to follow,” security researchers warned.
Apache Tomcat Vulnerability – CVE-2025-24813
The root cause of CVE-2025-24813 lies in how Apache Tomcat handles file paths during partial PUT requests.
When a user uploads a file, Tomcat creates a temporary file using the provided filename and path, replacing path separators with dots.
This approach, originally intended as a security measure against path traversal, inadvertently opened a new vulnerability.
Exploitation involves two primary steps: first, an attacker sends a PUT request to upload a crafted Java session file, manipulating the file name and path to exploit the path equivalence vulnerability.
Second, the attacker triggers deserialization of the uploaded session file by sending a GET request referencing the malicious session ID, potentially leading to remote code execution.
The vulnerability affects multiple versions of Apache Tomcat:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
The summary of the Vulnerability is given below:
| Risk Factors | Details |
| Affected Products | Apache Tomcat 11.0.0-M1 to 11.0.2Apache Tomcat 10.1.0-M1 to 10.1.34Apache Tomcat 9.0.0-M1 to 9.0.98 |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | -Default servlet must have write capability enabled-Partial PUT requests must be permitted -Web application must use file-based session persistence -Presence of a deserialization-vulnerable library |
| CVSS 3.1 Score | 9.8 (Critical) |
Exploit Attempts and Targeted Regions
Geographic analysis shows that the majority of exploit attempts have targeted systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions directed at U.S.-based systems.
Researchers observed initial exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China.
For successful exploitation, several configurations must be true:
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- Application using Tomcat’s file-based session persistence with default storage location
- Application including a library that may be leveraged in a deserialization attack
Mitigations
To protect against CVE-2025-24813, organizations running affected versions of Apache Tomcat should:
- Apply the latest security patches immediately
- Monitor for unexpected PUT requests in web server logs
- Deploy Web Application Firewall (WAF) rules to block malicious payloads
- Track real-time exploitation activity and block malicious IPs
The NHS England National CSOC has assessed that “continued exploitation of this vulnerability is considered highly likely.”
Organizations are urged to immediately assess their Apache Tomcat deployments and apply patches to mitigate potential RCE risks.
While the vulnerability is serious, the specific configuration requirements make broad exploitation unlikely for properly maintained systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
