Overview

Apache has released security patches to address a critical vulnerability in Apache Tomcat (CVE-2025-24813). Exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.

Description

CVE-2025-24813 is a critical remote code execution (RCE) vulnerability in Apache Tomcat, arising from improper handling of uploaded session files and deserialization processes. An attacker can exploit this flaw by uploading a malicious payload to a writable directory which is then processed and executed by the server. The vulnerability affects Tomcat versions 9.0.0.M1–9.0.98, 10.1.0-M1–10.1.34, and 11.0.0-M1–11.0.2. Exploitation of this vulnerability requires specific conditions, including write permissions for the default servlet, enabled partial PUT requests, and file-based session persistence.

Impact

Successful exploitation of this vulnerability can lead to arbitrary code execution, potentially allowing attackers to take full control of the affected server. This can result in data breaches, system compromise, and further attacks within the network.

Solution

Apache has released security updates for Tomcat versions 9.0.99, 10.1.35, and 11.0.3. Users and Administrators are strongly advised to upgrade to these patched versions immediately to prevent potential exploitation. Furthermore, it is recommended to disable write permissions for the default servlet unless explicitly required and conduct a comprehensive review of server configurations to ensure a secure deployment.

References

• 1. https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
• 2. https://nvd.nist.gov/vuln/detail/CVE-2025-24813
• 3. https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md