I. Targeted Entities
Systems and applications using Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, 9.0.0.M1 through 9.0.98.
II. Introduction
CVE-2025-24813 describes a vulnerability in Apache Tomcat which would allow a malicious actor to perform a variety of attacks such as remote code execution, information disclosure, and injecting malicious payloads or content into uploaded files. This type of vulnerability is caused by improper handling of path equivalence, which normally ensures that different file paths point to the same resource. This improper handling within the Default Servlet is related to write-enabled configurations in Apache Tomcat and it impacts several versions of the application prior to the fix.
III. Additional Background Information
CVE-2025-24813 is a vulnerability affecting Apache Tomcat that can occur when the default servlet is configured to allow write functionality which is normally disabled by default. This vulnerability can be exploited when combined with the default behavior of allowing for partial PUT requests. In this scenario, an attacker could upload a specially crafted serialized session file, or simply, a malicious payload, to a writable directory within the system. Once the file is uploaded, a subsequent HTTP request triggers Tomcat to deserialize the file’s contents, executing the embedded malicious payload.
While exploiting CVE-2025-24813 can lead to significant impact, successful remote code execution requires several prerequisites:
- Write Capability on the Default Servlet: The default servlet has to be explicitly configured to allow write functionality, which is not normally enabled by default.
- Partial PUT Requests: The target system must allow for partial PUT requests.
- File-Based Session Persistence: The web application has to use file-based session persistence with a default storage location, providing an accessible and writable directory for uploading malicious payloads.
- Deserialization Vulnerability: The application must have a deserialization-vulnerable library which would enable the malicious payload to be executed during the deserialization process.
- Knowledge of Internal File System: The attacker needs to understand the file naming conventions and directory structure of the target system for successful exploitation of the vulnerability.
IV. MITRE ATT&CK
- T1006 – File System Logical Link
T1006 or File System Logical Link refers to when adversaries have the ability to create symbolic links or shortcuts to files in order to abuse the way some operating systems handle file paths.This is relevant since CVE-2025-24813 involves manipulating file paths to access and modify unintended files, fitting the pattern of abusing file system logical links.
V. Recommendations
To mitigate attacks leveraging this vulnerability, these are the recommendations for CVE-2025-24813:
Upgrading Apache Tomcat to a Patched Version
By immediately upgrading to:
- Tomcat 0.99 (for 9.x series)
- Tomcat 1.35 (for 10.x series)
- Tomcat 0.3 (for 11.x series)
It provides a fix for the improper handling of partial PUT requests and path equivalency issues that could be exploited for remote code execution or file manipulation.
Disabling Partial PUT Support
Configure Tomcat to disallow partial PUT requests, which allow clients to send file content in chunks or ranges. Recommended actions include:
- Modifying Tomcat’s configuration files (server.xml and/or web.xml) to block or ignore PUT methods if your application doesn’t use them.
- Implementing an HTTP filter to reject incoming PUT requests altogether (unless those requests are required for your needs)
Since this vulnerability exploits partial PUT behavior to inject content into files. If partial PUT is not supported, this attack vector is closed.
Restricting Default Servlet Write Permissions
Ensure that the default servlet (the part of Tomcat that serves static files) cannot accept uploads or write to sensitive directories. To do so, you must:
- Tighten file system permissions (chmod, chown) to ensure Tomcat processes run with minimal privileges.
- Ensure the /webapps directory and static content directories are read-only unless absolutely necessary.
- Review DefaultServlet configuration for <init-param> like readonly and set it to true.
If the default servlet has write permissions, attackers could upload or modify arbitrary files which could lead to defacement, data theft, or execution of malicious scripts.
Enforcing Strong Web Application Firewall (WAF) Policies
You should deploy or tune your WAF to:
- Detect and block unusual PUT, PATCH, or malformed HTTP methods.
- Flag requests targeting .jsp, .war, or sensitive file types.
Having a WAF can act as an additional protective layer by stopping attacks even if Tomcat is not yet patched or misconfigured.
Monitoring Server Logs Aggressively
Continuously monitor access logs (e.g., access_log, catalina.out) and security logs for:
- Unexpected PUT or PATCH requests.
- External requests targeting .jsp files in unusual locations.
Early detection of attempts allows you to respond quickly to intrusions before they escalate. Using tools such as Splunk, ELK stack, or Wazuh can make for efficient log review and analysis, with trigger alerts on anomalies.
VI. IOCs (Indicators of Compromise)
| Type | Indicator |
|---|---|
| File System Anomalies | Presence of unexpected .jsp files in the web server root directory |
| Suspicious HTTP Requests | External POST or GET requests targeting suspicious .jsp files |
| Suspicious HTTP Methods | Occurrence of unexpected PUT requests in web server logs |
| Malicious Upload Attempts | Evidence of malicious payloads being delivered via PUT requests |
| WAF Detection | Triggered Web Application Firewall (WAF) rules indicating attempts to upload or execute unauthorized files |
Figure 1: Table of IOCs
Figure 2: File paths of attack payloads (using .session extensions)
Figure 3: Payload in the request body, attempting to call the .session file (Akamai)
VII. Additional OSINT Information
Figure 1: Exposed Tomcat instances on Shodan showing being geolocated in China, Brazil, Morroco, and the U.S (Recorded Future
Figure 2: Proof of Concept for exploiting CVE-2025-24813 (GitHub – absholi7ly)
Figure 3: Signature for CVE-2025-24813 (Recorded Future)
VIII. References
Absholi7ly. (2025, March 22). POC-CVE-2025-24813: Proof of concept for CVE-2025-24813 in Apache Tomcat [Source code]. GitHub. https://github.com/absholi7ly/POC-CVE-2025-24813
Apache Software Foundation. (2025, March 10). CVE-2025-24813 Detail. National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Detecting and mitigating Apache Tomcat CVE-2025-24813 | Akamai. Akamai Security Intelligence Group. (2025, March 25). https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations
Group, I. (2025, March 28). Apache tomcat: CVE-2025-24813: Active exploitation. Recorded Future. https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis
[SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT. Lists.apache.org. (2025, March 10). https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Threat Advisory created by The Cyber Florida Security Operations Center.
Contributing Security Analysts: Jason Doan
To learn more about Cyber Florida visit: www.cyberflorida.org