A remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is currently being exploited in the wild. This flaw allows attackers to gain full control over affected servers using a simple PUT request, making it a significant threat to web administrators and developers.
How Attackers Are Exploiting the Flaw
Security researchers at Wallarm have confirmed active exploitation of this vulnerability. Notably, just 30 hours after its disclosure last week, proof-of-concept (PoC) exploits were published on GitHub, enabling hackers to launch attacks rapidly.
The attack method involves sending a base64-encoded serialized Java payload via a PUT request, which is stored in Tomcat’s session storage. The attacker then triggers execution by sending a GET request with a JSESSIONID cookie pointing to the uploaded session file. As a result, Tomcat deserializes and runs the malicious Java code, granting full control to the attacker.
One of the major challenges in detecting this attack is that PUT requests appear normal, and the payload is encoded in base64, bypassing traditional security tools.
Vulnerability Details
The CVE-2025-24813 vulnerability affects multiple versions of Apache Tomcat, including:
Tomcat 11.0.0-M1 to 11.0.2
Tomcat 10.1.0-M1 to 10.1.34
Tomcat 9.0.0.M1 to 9.0.98
The flaw exists due to Tomcat’s support for partial PUT requests and its default session persistence, which attackers leverage to execute arbitrary code.
Why This Attack is Dangerous
According to Wallarm, this attack is particularly dangerous because:
No authentication is required—any attacker with access can exploit it.
Tomcat’s default settings make exploitation easy, as many deployments use file-based session storage.
Base64 encoding bypasses most security filters, making it difficult to detect.
Attackers can modify configurations, upload malicious JSP files, and install backdoors, posing a long-term security risk.
How to Protect
To mitigate this vulnerability, Apache recommends that users immediately upgrade to patched versions:
Tomcat 11.0.3+
Tomcat 10.1.35+
Tomcat 9.0.99+
For those unable to upgrade immediately, the following security measures can help reduce the risk:
Disable partial PUT requests by modifying the configuration settings.
Ensure the default servlet is set to readonly (
readonly="true").Avoid storing sensitive files in subdirectories of public upload directories.
Monitor network traffic for suspicious PUT requests and unusual session activity.
Implement additional security layers, such as Web Application Firewalls (WAFs) with rules to detect and block exploit attempts.
Potential Future Threats
Security experts warn that this attack is just the first wave of a more extensive exploitation campaign. Hackers are expected to evolve their tactics, moving beyond session storage to target:
Uploading malicious JSP files.
Altering Tomcat configuration settings.
Planting persistent backdoors in server environments.
Conclusion
The CVE-2025-24813 RCE vulnerability in Apache Tomcat is a serious security risk, actively exploited by hackers worldwide. Organizations using vulnerable Tomcat versions must act swiftly to patch their systems and implement necessary mitigations. As attackers refine their methods, continuous monitoring and security best practices will be crucial in defending against future threats.
By staying proactive, system administrators can minimize the risk posed by this flaw and protect their infrastructure from potential cyberattacks.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Hackers Use ClickFix to Steal Data from Hospitality Firms via Booking.com Scam