A critical security vulnerability identified as CVE-2025-24813 has been discovered in Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability allows for remote code execution (RCE) and unauthorized access to sensitive files, posing significant risks to affected systems. Notably, active exploitation of this flaw has been observed in the wild, underscoring the urgency for immediate remediation.​

Understanding CVE-2025-24813

CVE-2025-24813 stems from improper handling of path equivalence checks involving filenames with internal dots (e.g., file...txt). This flaw affects Apache Tomcat versions:​

9.0.0.M1 through 9.0.98

10.1.0-M1 through 10.1.34​

11.0.0-M1 through 11.0.2

Exploitation of this vulnerability is contingent upon specific conditions:

1. Writes enabled for the default servlet (readonly set to false).​
2. Support for partial PUT requests (enabled by default).​
3. Application using Tomcat’s file-based session persistence with the default storage location.​
4. Inclusion of a library that can be leveraged in a deserialization attack.

When these conditions are met, a remote attacker can exploit the vulnerability to execute arbitrary code on the server or access sensitive information.

Exploitation Details

The attack involves a two-step process:

1. Uploading a Malicious Session File: The attacker sends a PUT request containing a Base64-encoded serialized Java payload to the server. This payload is stored in Tomcat’s session storage directory.
2. Triggering Deserialization: The attacker then sends a GET request with a JSESSIONID cookie pointing to the malicious session file. Tomcat deserializes this file, executing the embedded Java code and granting the attacker full remote access to the server.​

This method is particularly concerning because it requires no authentication and can bypass traditional security filters due to the Base64 encoding of the payload.

Active Exploitation in the Wild

Reports indicate that exploitation of CVE-2025-24813 began swiftly after its disclosure. Security researchers observed active attacks leveraging this vulnerability, highlighting the ease with which it can be exploited and the potential for widespread impact.

Mitigation Steps

To protect systems from potential exploitation, administrators should take the following actions:

1. Upgrade Apache Tomcat: Update to the fixed versions:
   • For 9.0.x: Upgrade to 9.0.99 or later.​
   • For 10.1.x: Upgrade to 10.1.35 or later.
   • For 11.0.x Upgrade to 11.0.3 or later.
2. Modify Configuration Settings: If immediate upgrading is not feasible, adjust the following configurations:
   • Set the default servlet to read-only: Ensure the readonly parameter is set to true in the default servlet configuration.
   • Disable partial PUT requests: Set the allowPartialPut parameter to false to prevent partial PUT request handling.​
3. Secure File Upload Directories: Regularly audit permissions and avoid placing sensitive directories within publicly writable locations to minimize the risk of unauthorized access or modification.