Analysis Summary

A critical remote code execution (RCE) vulnerability, CVE-2025-24813, is being actively exploited, allowing attackers to compromise Apache Tomcat servers using a single PUT API request. Researchers report that the exploit, initially shared on a Chinese forum, takes advantage of Tomcat’s default session persistence and partial PUT request handling. They emphasize, “This attack is dead simple to execute and requires no authentication.”

The attack occurs in two steps: first, an attacker uploads a malicious serialized Java session file via a PUT request, storing the payload inside Tomcat’s session directory. Then, by sending a GET request with a JSESSIONID pointing to the malicious session, they trigger deserialization and execute arbitrary code. The exploit works under specific conditions, including servlet write being enabled, file-based session persistence, and the presence of a deserialization exploitation library.

The widespread use of file-based session storage in Tomcat deployments increases the risk, as many configurations remain vulnerable by default. Detection is difficult since the payload is base64-encoded, allowing it to bypass most Web Application Firewalls (WAFs). Researchers note that WAFs often miss the attack because the PUT request appears normal, the payload lacks obvious malicious patterns, and the harmful execution occurs only during deserialization.

The vulnerability affects Apache Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Patched versions include 11.0.3, 10.1.35, and 9.0.99. Users unable to upgrade immediately should set the readonly parameter in conf/web.xml to true, disable the PUT method, and restart Tomcat, or disable the PersistentManager to mitigate the risk. Given its simplicity and potential impact, organizations using Tomcat should take urgent action to secure their deployments.

Impact

• Remote Code Execution
• Unauthorized Gain Access
• Security Bypass

Indicators of Compromise

CVE

• CVE-2025-24813

Remediation

• Refer to Apache Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.