Threat Advisory – Apache Tomcat RCE Vulnerability (CVE-2025-24813)

Description

A critical remote code execution (RCE) vulnerability (CVE-2025-24813) has been identified in Apache Tomcat, allowing attackers to fully compromise affected servers through a single PUT API request. A PUT API is an HTTP method used in RESTful web services to update or create a resource on a server. Exploiting this flaw enables them to upload malicious Java session files and execute arbitrary code without authentication.

Impact

  • Attackers can gain complete control over vulnerable Tomcat servers.
  • Malicious payloads can be executed remotely via GET requests.
  • Sensitive data and critical business operations are at risk.

Affected Versions

  • Apache Tomcat 11.0.0-M1 to 11.0.2
  • Apache Tomcat 10.1.0-M1 to 10.1.34
  • Apache Tomcat 9.0.0.M1 to 9.0.98

Recommendations

Immediate Upgrade: Patch to the latest secured versions:

  • Apache Tomcat 11.0.3+
  • Apache Tomcat 10.1.35+
  • Apache Tomcat 9.0.99+

Review Server Configurations: Disable DefaultServlet write access and partial PUT request support if not required.

Check for Vulnerable Libraries: Ensure no known deserialization vulnerabilities exist in the application.

References

Apache Tomcat 11.x vulnerabilities

For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link.

Threat Advisory
Team Accorian