Full Report
The New Zealand Computer Emergency Response Team (CERT NZ) has issued an urgent security advisory warning of a critical vulnerability, CVE-2025-24813, that affects several versions of Apache Tomcat. This Apache Tomcat vulnerability presents serious security risks, including remote code execution (RCE), information disclosure, and content corruption. The vulnerability, CVE-2025-24813, is found in Apache Tomcat versions 9.x, 10.x, and 11.x, with certain configurations making systems particularly susceptible to attack. According to the advisory, this flaw could allow an unauthenticated attacker to upload a malicious serialized payload to a vulnerable server. If specific conditions are met, the attacker can exploit this flaw to execute arbitrary code on the server. This Apache Tomcat vulnerability is linked to the default servlet of Apache Tomcat, which handles HTTP requests. A malicious attacker could exploit improper handling of file uploads by the default servlet to execute harmful code or gain access to sensitive information. The issue is particularly concerning as it could lead to remote code execution (RCE) or allow attackers to manipulate or corrupt sensitive data. Affected Versions due to Apache Tomcat Vulnerability The vulnerability affects the following versions of Apache Tomcat: Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0.M1 to 9.0.98 These versions are vulnerable to CVE-2025-24813 if they meet additional conditions outlined in the vendor advisory. Applications running on these versions are at risk if they allow file uploads with partial PUT support enabled, especially if attackers can manipulate the file paths and exploit insecure configurations. How Attackers Could Exploit CVE-2025-24813 Exploiting CVE-2025-24813 requires specific conditions. To view sensitive files or inject malicious content into these files, the following conditions must be met: Writes enabled for the default servlet (disabled by default). Partial PUT support enabled (enabled by default). A target URL for sensitive uploads located within a sub-directory of public uploads. Knowledge of the names of sensitive files being uploaded. The vulnerable files also being uploaded via partial PUT. For an attacker to gain remote code execution, additional conditions must be met: The application is using Tomcat’s file-based session persistence with the default storage location. The application includes a library that could be used in a deserialization attack. The New Zealand CERT also noted that a proof-of-concept (PoC) and reports of active exploitation have already surfaced, making this flaw even more pressing for those using vulnerable versions. Why You Should Be Concerned The severity of CVE-2025-24813 cannot be overstated. Given that it allows for remote code execution and information disclosure, organizations could face severe consequences, including the unauthorized execution of arbitrary code, exposure of sensitive data, or potential corruption of vital application files. The flaw is particularly dangerous as it is relatively easy for attackers to exploit, especially when all the conditions for partial PUT support and other configurations are met. For organizations that rely on Apache Tomcat to serve Java applications, the risk of exposure is significant, and immediate action is required. How to Protect Your Systems To mitigate the risks associated with CVE-2025-24813, Apache Tomcat users are advised to upgrade their installations to secure versions. The following versions have fixed the vulnerability: Apache Tomcat 11.0.3 or later Apache Tomcat 10.1.35 or later Apache Tomcat 9.0.99 or later Upgrading to one of these versions will ensure that systems are no longer vulnerable to this flaw. Additionally, system administrators should follow best practices for securing their Tomcat configurations, including disabling unnecessary features and ensuring that file upload capabilities are appropriately configured. Conclusion CVE-2025-24813 is actively being exploited, with a proof of concept confirmed by the NCSC. To mitigate risks, organizations should upgrade to Apache Tomcat versions 11.0.3, 10.1.35, or 9.0.99, disable unnecessary features, monitor for suspicious activity, and apply security patches promptly. As Apache Tomcat is widely used, keeping systems updated is crucial to avoid remote code execution, information disclosure, and content corruption.
Analysis Summary
# Vulnerability: Critical Apache Tomcat Flaw Under Active Exploitation (CVE-2025-24813)
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: Not explicitly provided, but described as "Critical" and under "Active Exploitation."
- CWE: Not explicitly provided, implied to relate to improper content handling or file operations.
## Affected Systems
- Products: Apache Tomcat
- Versions: All versions prior to the fixed releases listed below.
- Configurations: Systems where conditions for partial PUT support and other specific configurations are met.
## Vulnerability Description
This vulnerability allows for potential remote code execution (RCE), disclosure of sensitive data, or corruption of vital application files within Apache Tomcat instances. The flaw is considered dangerous due to its relative ease of exploitation when specific configuration conditions (like partial PUT support) are met.
## Exploitation
- Status: Actively being exploited in the wild. Proof of Concept (PoC) has been confirmed by the NCSC.
- Complexity: Low (implied by the description "relatively easy for attackers to exploit").
- Attack Vector: Likely Network, given the context severity and the nature of Tomcat vulnerabilities, though not explicitly stated.
## Impact
- Confidentiality: Disclosure of sensitive data.
- Integrity: Potential corruption of vital application files.
- Availability: Potential impact via Remote Code Execution.
## Remediation
### Patches
Organizations are strongly advised to upgrade to the following versions:
* Apache Tomcat 11.0.3 or later
* Apache Tomcat 10.1.35 or later
* Apache Tomcat 9.0.99 or later
### Workarounds
* Disable unnecessary features in Tomcat configurations.
* Ensure that file upload capabilities are appropriately configured and restricted.
## Detection
- Monitoring for suspicious activity associated with executing remote code or unexpected file modifications within the Tomcat environment.
- Closely inspecting network traffic and logs for exploitation attempts targeting file handling or PUT requests, especially in partially configured setups.
## References
- Vendor Advisories: Apache Tomcat Security Advisories (Implied)
- Relevant links:
- hxxps://thecyberexpress.com/advisory-for-apache-tomcat-vulnerability/