CVE-2025-24813: Critical Apache Tomcat Vulnerability Already Being Exploited – Patch Now!

Overview 

Apache Tomcat, the free and open-source implementation of the Java Servlet, recently disclosed a critical vulnerability which is being tracked as CVE-2025-24813. This new path equivalence vulnerability allows threat actors to take control of servers using a simple PUT request. Apache Tomcat is often used for deploying web applications in both development and production environments. Its wide popularity can be attributed to its versatility, ability to scale, and impressive set of features. Given its central role in numerous web application architectures, ensuring the security of Tomcat deployments is highly important.

Vulnerability Details

The root cause of CVE-2025-24813 lies in how Apache Tomcat handles file paths during partial PUT requests. When a user uploads a file this way, Tomcat creates a temporary file using the provided filename and path. Critically, it replaces path separators (like ‘/’ or ‘\’) with dots (‘.’). For instance, an attempt to upload a file to ‘uploads/malicious/file.txt’ might result in a temporary file named ‘uploads.malicious.file.txt’. While this approach was originally intended as a security measure against path traversal, it inadvertently opened a new vulnerability. By carefully crafting filenames with internal dots, attackers can potentially bypass security controls, gaining unauthorized access to modify or disclose files in unintended locations within the server.

First published on March 10, 2025, this CVE has a severity rating of Critical, owing to the likelihood of leading to data breaches, content injection, unauthorized access, server compromise, and in certain extreme cases, remote code execution. This can occur when Tomcat’s file-based session persistence is used with default settings and the application includes deserialization vulnerabilities, which would allow attackers to execute arbitrary code on the server.

Of significant concern, attackers began exploiting this vulnerability in the wild a mere 30 hours after the public disclosure of the proof of concept (POC).

Exploitation of CVE-2025-24813 involves two primary steps:

1. Malicious Session File Upload: An attacker sends a PUT request to upload a crafted Java session file. The file name and path are manipulated to exploit the path equivalence vulnerability. This allows the attacker to write the session file to a location where it can be accessed.
2. Deserialization Trigger: The attacker then sends a GET request referencing the malicious session ID. This triggers the deserialization of the uploaded session file, potentially leading to remote code execution.

Key Considerations:

• The vulnerability is relatively straightforward to exploit, if the prerequisite conditions are met.
• Exploitation does not require authentication.
• The primary requirement is that Tomcat is configured to use file-based session storage instead of the default in-memory storage.
• Successful remote code execution also depends on the presence of deserialization vulnerabilities within the deployed web applications and if servlet write is enabled.

Think You May be Affected by CVE-2025-24813? Here’s What to do:

If you suspect your Apache Tomcat deployment may be vulnerable to CVE-2025-24813, follow these steps to secure your system:

• Verify whether your system is affected by checking the version of Apache Tomcat running on your server. Vulnerable versions include:
  • Apache Tomcat 9.0.0.M1 through 9.0.98
  • Apache Tomcat 10.1.0-M1 through 10.1.34
  • Apache Tomcat 11.0.0-M1 through 11.0.2

Determining whether your system is running one of these versions is critical to understanding your exposure to this vulnerability.

• Upgrade to a Patched Version
  Immediately update Apache Tomcat to a secure version:
  • Apache Tomcat 9.0.99 or later
  • Apache Tomcat 10.1.35 or later
  • Apache Tomcat 11.0.3 or later

Upgrading to a patched version that addresses the vulnerability is an essential measure to safeguard the system against potential exploitation.

• If an upgrade cannot be performed right away, take the following steps to reduce risk:
  • Disable Partial PUT Requests: Modify the allowPartialPut setting in conf/web.xml and set it to false, then restart Tomcat.
  • Disable Write Permissions for DefaultServlet: Ensure that the readonly attribute is set to true in the DefaultServlet configuration.
  • Restrict Sensitive File Locations: Avoid placing sensitive files in subdirectories of public upload paths to prevent unauthorized access.

Identifying CVE-2025-24813 With XM Cyber

XM Cyber continually monitors your entire infrastructure. Our research team has developed a technique to help customers identify the CVE-2025-24813 vulnerability within their environments.

With XM Cyber’s NG-External Attack Surface Management (NG-EASM) capability, you can now test which external-facing machines are vulnerable to this risk. Utilizing continuous monitoring, automated scanning, and real-time data, XM Cyber NG-EASM can detect and alert you about vulnerable versions of Apache Tomcat. If any vulnerabilities are detected, the platform provides step-by-step guidance on how to address them.

With XM Cyber’s Vulnerability Risk Management (VRM) capability, you can identify all Windows instances of the CVE-2025-24813 vulnerability across your organization. This module uses dynamic and continuous CVE mapping to transition from traditional vulnerability assessments to a risk-based approach. By considering both exploit likelihood and business impact, VRM helps prioritize vulnerabilities and streamline remediation efforts. This attack technique is under development in our Continuous Exposure Management (CEM) and will be released soon.

Additionally, your Customer Success Manager and our sales engineers proactively provide raw data for all your vulnerable machines. You can request an updated list at any time, which will include information about Apache Tomcat. 

We will update this advisory with additional information as it becomes available.