Full Report
Learn about CVE-2025-24813 affecting Apache Tomcat products. Patch now to prevent remote code execution.
Analysis Summary
# Vulnerability: Apache Tomcat Path Equivalence Vulnerability Leading to RCE
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: Not explicitly stated, but described as **critical** with **Remote Code Execution (RCE)** risk.
- CWE: Path Equivalence Vulnerability (Implied)
## Affected Systems
- Products: Apache Tomcat
- Versions:
* 11.0.0-M1 to 11.0.2
* 10.1.0-M1 to 10.1.34
* 9.0.0.M1 to 9.0.98
* 8.5.x versions: 8.5.0 to 8.5.98 and 8.5.100 (excluding 8.5.99)
- Configurations: Exploitation requires specific, though sometimes default, configurations:
* Default servlet must have write permissions enabled (disabled by default).
* Partial PUT support must be enabled (enabled by default).
* Application uses Tomcat's file-based session persistence with the default storage location (for RCE).
* For file viewing/injection: Target upload URL is a subdirectory of the public uploads directory, and the attacker knows the sensitive filenames.
## Vulnerability Description
CVE-2025-24813 is a path equivalence vulnerability stemming from how Apache Tomcat handles partial PUT requests. This flaw allows remote, unauthenticated attackers to potentially achieve **Remote Code Execution (RCE)** via deserialization of a specially crafted payload. Additionally, under specific upload directory conditions, attackers can view and inject content into security-sensitive files.
The RCE attack chain involves sending a PUT request with a Base64-encoded Java payload, followed by a GET request with a manipulative `JSESSIONID` cookie to trigger deserialization and code execution.
## Exploitation
- Status: **Exploitation attempts observed in the wild**. Multiple PoCs are publicly available.
- Complexity: **Medium** (Requires specific configuration conditions, though some conditions are default settings like partial PUT support).
- Attack Vector: **Network** (Remote, unauthenticated access).
## Impact
- Confidentiality: **High** (Ability to view security-sensitive files).
- Integrity: **High** (Ability to inject content into files and achieve RCE).
- Availability: **High** (System compromise via RCE).
## Remediation
### Patches
Users must upgrade to one of the following fixed versions:
- Version **11.0.3**
- Version **10.1.35**
- Version **9.0.99**
- For 8.5.x EoL versions, upgrade to a supported branch of Apache Tomcat.
### Workarounds
- Implement **network-level controls** to restrict access to the Tomcat server if immediate upgrading is not possible.
## Detection
- **Indicators of Compromise (IoCs):**
* Presence of unexpected JSP files in the web server root directory.
* External POST or GET requests targeting suspicious JSP files.
* Occurrence of unexpected PUT requests in web server logs.
* Evidence of malicious payloads being delivered via PUT requests.
* Triggered WAF rules related to unauthorized file uploads/execution.
- **Detection Methods and Tools:**
* Nuclei template provided by Insikt Group referenced in the advisory for testing vulnerable instances.
## References
- Vendor Advisories: (None explicitly cited as a primary source, but this summary is based on an Insikt Group analysis post-disclosure.)
- Relevant links:
* Information regarding PoCs available from Palo Alto Networks and GitHub user iSee857 (URLs defanged).