Rapid Exploitation Alert: Critical Apache Tomcat RCE Vulnerability (CVE-2025-24813)

Author: Harkirat Bhardwaj

‍

A new critical vulnerability, CVE-2025-24813, affecting Apache Tomcat has been identified and actively exploited in the wild within 24 hours following the public release of exploit code. This blog provides an in-depth understanding of the vulnerability, its exploitation process, impact, risk profile, and actionable mitigation strategies.

1. Vulnerability Overview

CVE-2025-24813 refers to a critical remote code execution (RCE) flaw within Apache Tomcat due to a path traversal vulnerability, specifically related to handling internal dots (..) in filenames. This issue enables attackers to execute arbitrary Java code through deserialization of untrusted data.

Root Cause (CWE Mapping):

• CWE-22: Improper limitation of a pathname to a restricted directory ('Path Traversal')
• CWE-502: Deserialization of untrusted data

Attack Patterns (CAPEC Mapping):

• CAPEC-126: Path Traversal
• CAPEC-586: Object Injection

2. Exploitation Analysis

The exploit leverages publicly available proof-of-concept (PoC) code, significantly lowering the barrier for attackers.

• Exploit Reference: GitHub PoC
• CVSS Score: 8.6 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

How the Exploit Works:

1. The attacker sends a malicious HTTP PUT request containing a base64-encoded serialized Java payload, leveraging path traversal to place the payload within Tomcat’s session storage.
2. The attacker sends a subsequent HTTP GET request with a specially crafted JSESSIONID cookie to trigger deserialization of the malicious payload.
3. This process executes arbitrary Java code remotely, potentially compromising the entire system.

MITRE ATT&CK Techniques:

• Exploitation Technique (T1190): Exploit Public-Facing Websites (Unauthenticated remote exploitation)
• Primary Impact (T1203): Exploitation for Client Execution (Remote code execution on Tomcat server)
• Secondary Impact (T1565): Data Manipulation (Access and alteration of sensitive data)

3. Visualizing the Attack Flow

Refer to the attack flow image below for a visual representation of the exploitation stages:

4. Who is at Risk?

Wallarm’s threat intelligence has confirmed active exploitation originating from Poland, highlighting the opportunistic nature of the attacks. So far, no advanced persistent threats (APTs) or state-sponsored actors have been identified.

Potentially Vulnerable Environments:

• Industries: IT and Cloud infrastructure deploying Apache Tomcat as a web server.
• Apache Tomcat Versions Affected:
  
  • 11.0.0-M1 through 11.0.2
  • 10.1.0-M1 through 10.1.34
  • 9.0.0.M1 through 9.0.98

5. Recommended Mitigation Strategies

Given the speed of exploitation post-publication, immediate action is essential.

Web Application Firewall (WAF) Mitigation:

Standard WAF configurations will not detect base64 encoded PUT requests by default. Implement custom ModSecurity rules such as:

SecRule REQUEST_METHOD "@streq PUT" \

  "chain,\

   id:2000006,\

   phase:2,\

   deny,\

   status:403,\

   log,\

   msg:'Blocking potential CVE-2025-24813 exploit - Base64 PUT with path traversal, session targeting, or malicious payload'"

  SecRule REQUEST_BODY "@rx ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$" \

    "chain,\

     t:base64Decode"

    SecRule REQUEST_BODY "@rx \\.\.|/sessions/|\xac\xed\x00\x05" "t:none,t:urlDecodeUni"

Endpoint Protection Strategies:

Tools such as Microsoft Defender for Endpoint can mitigate exploitation behavior by enabling customized exploit protection. For Apache Tomcat, manually enable the following:

6. Final Considerations

• Immediate Prioritization: The critical CVSS score of 8.6 and active exploitation necessitate urgent patching.
• Environment Assessment: Evaluate internet-facing Apache Tomcat servers and file-based session persistence configurations to pinpoint vulnerable deployments.
• AI-Assisted Risk Assessment: Leverage tools such as Tuskira AI for a contextual analysis of vulnerability exposure, attack surface mapping, and tailored security recommendations.

⚠️ Action Required

Given the severity and immediate exploitation observed, IT and security teams should urgently implement these mitigations, conduct thorough assessments of their Apache Tomcat deployments, and monitor closely for suspicious activities.