Security researchers have confirmed that a critical remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813<\/a>, is being actively exploited in the wild.<\/p>\n The vulnerability, which enables attackers to take control of servers with a simple PUT request, was disclosed last week, and proof-of-concept exploits were published on GitHub merely 30 hours later.<\/p>\n The critical flaw affects multiple versions of Apache Tomcat: 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. First disclosed by Apache on March 10, 2025, the vulnerability allows attackers to view or inject arbitrary content on security-sensitive files under specific conditions.<\/p>\n Wallarm security researchers have confirmed<\/a> active exploitation attempts, warning that traditional security tools fail to detect these attacks because the PUT requests appear normal and malicious content is obfuscated using base64 encoding.<\/p>\n The attack leverages Tomcat\u2019s default session persistence mechanism along with its support for partial PUT requests in a two-step process:<\/p>\n The attacker sends a PUT request containing a base64-encoded serialized Java payload, which gets saved to Tomcat\u2019s session storage. This request appears innocuous to most security filters, as the malicious payload is effectively hidden through encoding.<\/p>\n Once the malicious file is uploaded, the attacker sends a GET request with a JSESSIONID cookie pointing to the uploaded session file. This forces Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker.<\/p>\n \u201cThis attack is dead simple to execute and requires no authentication,\u201d explains Wallarm in their analysis. \u201cThe only requirement is that Tomcat is using file-based session storage, which is common in many deployments.\u201d<\/p>\n Traditional Web Application Firewalls (WAFs) struggle to detect this attack for several reasons:<\/p>\n User iSee857 created a GitHub<\/a> repository containing exploit code. The repository features a Python script that can check for vulnerability across multiple targets.<\/p>\n Apache recommends that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+, which contain patches for CVE-2025-24813<\/a>.<\/p>\n For organizations unable to update immediately, alternative mitigations include:<\/p>\n Security experts warn that this is likely just the beginning, as attackers will soon evolve their tactics beyond session storage exploitation. \u201cAttackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,\u201d cautions Wallarm.<\/p>\n The rapid exploitation of this vulnerability highlights the critical importance of proactive security measures and prompt patching in today\u2019s threat landscape.<\/p>\n The post Critical Apache Tomcat RCE Vulnerability Exploited in Just 30hrs of Public Exploit<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi6wFbHgP8y8N9D588Eu2G-q4dng7c-9DXPjFyiRpwga8wGe31py2UqxLtm3_zCof8TuEBXqKlHtq_sqO6I6ZpQBCANRHM2j7KF6JFWc0vNGwe5P3GEePBo4mUuujMF8LRzrv_IP6w2q0mzQt0H3gnYdDzPWhr52tCOvk4QryqlORaLM853ifsao0Ep1S6n\/s16000\/apache%2520tomcat.webp?ssl=1\")
<\/figure>\n<\/div>\nExploitation Mechanism<\/strong><\/h2>\n
Step 1: Uploading Malicious Code<\/strong><\/h3>\n
Step 2: Triggering Execution<\/strong><\/h3>\n
\n
Mitigations<\/strong><\/h2>\n
\n
Are you from SOC\/DFIR Teams? \u2013 Analyse Malware Incidents & get live Access with ANY.RUN ->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/strong><\/p>\n