Summary: A critical remote code execution (RCE) vulnerability, CVE-2025-24813, affecting Apache Tomcat servers is being actively exploited, allowing attackers to gain control through a single PUT API request. This vulnerability is dangerous because it can be executed without authentication under specific conditions, using a two-step exploit involving a malicious Java session file. The ease of execution and the encoding of the payload make detection challenging for security systems.
Affected: Apache Tomcat servers (versions 11.0.0-M1 to 11.0.210, 10.1.0-M1 to 10.1.349, 9.0.0-M1 to 9.0.98)
Keypoints :
- A critical RCE vulnerability (CVE-2025-24813) allows attackers to take over Tomcat servers with a single PUT request.
- The exploit leverages default session persistence and requires servlet write to be enabled, along with a deserialization vulnerability.
- Detection is difficult for Web Application Firewalls (WAFs) due to the base64 encoding and the two-step nature of the attack.
Source: https://securityonline.info/tomcat-flaw-cve-2025-24813-exploited-in-the-wild-poc-released/