Tomcat Vulnerability Exploited in the Wild to Take Over Apache Tomcat Servers

A critical remote code execution vulnerability in Apache Tomcat (CVE-2025-24813) is actively being exploited in the wild, enabling attackers to take complete control of vulnerable servers. 

Security researchers have observed increasing exploitation attempts since the vulnerability was first disclosed earlier this month.

The vulnerability affects Apache Tomcat servers and allows unauthenticated attackers to execute arbitrary code remotely on affected systems. 

The vulnerability exists in the server’s core processing components, making it particularly dangerous for organizations running unpatched versions of the popular web application server.

“This RCE vulnerability is particularly concerning because it requires minimal user interaction to exploit successfully,” said security researcher Wei Chen

“Once compromised, attackers gain the same privileges as the Tomcat service itself, which often runs with elevated permissions.”

Active Exploitation of the Vulnerability

According to reports, the exploit leverages a flaw in Tomcat’s request-handling mechanism. Exploitation conditions are reportedly strict, as indicated in the proof-of-concept code documentation, but attackers have already developed reliable methods to bypass these limitations.

Security firms have detected multiple exploit attempts using variations of the following command structure to identify vulnerable systems:

The published proof-of-concept code allows for both individual server testing and batch scanning of multiple targets with multi-threading capabilities.

Cybersecurity monitoring teams have observed a significant spike in scanning activity targeting Tomcat servers across various industries. 

The attacks typically begin with reconnaissance to identify vulnerable servers, followed by exploitation attempts using modified versions of the publicly available exploit code.

Security firms report aggressive scanning for vulnerable servers, particularly in financial services, healthcare, and government sectors. Post-compromise actions include deploying web shells, cryptocurrency miners, or ransomware.

Risk Factors	Details
Affected Products	Tomcat 9.0.0-M1–9.0.98, 10.1.0-M1–10.1.34, 11.0.0-M1–11.0.2
Impact	Complete control of vulnerable servers.
Exploit Prerequisites	Servlet writes, partial PUT, session persistence, deserialization library
CVSS v3.1 Score	8.1 (High severity)

Mitigation Steps

Security experts recommend organizations take immediate action to protect their Apache Tomcat installations:

• Update to the latest Tomcat version that includes patches for CVE-2025-24813
• Implement network-level filtering to block suspicious requests
• Enable proper logging and monitoring to detect exploitation attempts
• Restrict Tomcat service account privileges where possible
• Consider implementing web application firewalls as an additional layer of protection

The Apache Software Foundation has released emergency patches for all supported versions of Tomcat. 

“We strongly urge all users to update immediately given the critical nature of this vulnerability and evidence of active exploitation,” stated the Apache Tomcat security team in their advisory.

Multiple security vendors have updated their detection signatures to identify exploitation attempts related to CVE-2025-24813. 

Organizations are advised to prioritize this patch among their security updates due to the severity of the vulnerability and increasing exploitation attempts.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.