Description
A critical remote code execution (RCE) vulnerability (CVE-2025-24813) has been identified in Apache Tomcat, allowing attackers to fully compromise affected servers through a single PUT API request. A PUT API is an HTTP method used in RESTful web services to update or create a resource on a server. Exploiting this flaw enables them to upload malicious Java session files and execute arbitrary code without authentication.
Impact
- Attackers can gain complete control over vulnerable Tomcat servers.
- Malicious payloads can be executed remotely via GET requests.
- Sensitive data and critical business operations are at risk.
Affected Versions
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0.M1 to 9.0.98
Recommendations
Immediate Upgrade: Patch to the latest secured versions:
- Apache Tomcat 11.0.3+
- Apache Tomcat 10.1.35+
- Apache Tomcat 9.0.99+
Review Server Configurations: Disable DefaultServlet write access and partial PUT request support if not required.
Check for Vulnerable Libraries: Ensure no known deserialization vulnerabilities exist in the application.
References
Apache Tomcat 11.x vulnerabilities
For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link.
Threat Advisory
Team Accorian