Full Report
A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request. [...]
Analysis Summary
# Vulnerability: Critical RCE in Apache Tomcat via Partial PUT Operations
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: Not explicitly stated, but described as "Critical RCE"
- CWE: Not explicitly stated
## Affected Systems
- Products: Apache Tomcat
- Versions:
- 11.0.0-M1 to 11.0.2
- 10.1.0-M1 to 10.1.34
- 9.0.0.M1 to 9.0.98
- Configurations: Requires specific conditions for exploitation:
* Writes enabled for the default servlet (`readonly="false"`). (Disabled by default)
* Support for partial PUT is enabled (Enabled by default).
* Security-sensitive uploads occur in a sub-directory of a public upload directory.
* Attacker knows the names of security-sensitive files being uploaded.
* These security-sensitive files are being uploaded using partial PUT.
## Vulnerability Description
This is a Remote Code Execution (RCE) vulnerability. Under the specific conditions listed above, an attacker can view or inject arbitrary content into security-sensitive files by leveraging improper handling of partial PUT requests. The vulnerability is concerning because exploitation can be facilitated by base64 encoding, which can bypass many traditional security filters. Researchers warn this may be the first wave of RCEs stemming from Tomcat's partial PUT handling, potentially leading to attackers planting backdoors via JSP file uploads.
## Exploitation
- Status: Actively exploited in the wild
- Complexity: Implied to be achievable given active exploitation status and bypasses via base64 encoding.
- Attack Vector: Network (Remote exploitation is implied)
## Impact
- Confidentiality: High (Injection into security-sensitive files)
- Integrity: High (Ability to inject arbitrary content/code)
- Availability: High (Potential for system compromise leading to service disruption)
## Remediation
### Patches
Users should upgrade to the following patched versions:
- Tomcat 11.0.3+
- Tomcat 10.1.35+
- Tomcat 9.0.99+
### Workarounds
Users can mitigate by reverting to default configurations or disabling features that meet the conditions:
1. Revert the default servlet configuration to have writes disabled (`readonly="true"`).
2. Turn off partial PUT support.
3. Avoid storing security-sensitive files in a subdirectory of public upload paths.
## Detection
- Indicators of Compromise (IOCs): Exploitation involves PUT requests that may use base64 encoding to inject content into sensitive files, possibly leading to the deployment of malicious JSP files or configuration modifications.
- Detection methods and tools: Monitoring for unusual PUT requests targeting specific directories or exhibiting suspicious encoding patterns; applying security filters capable of inspecting base64 payloads in HTTP requests.
## References
- Vendor Advisories: [Apache Security Bulletin](https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq)
- Relevant links: [Wallarm Analysis](https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild)