Full Report
A newly revealed RCE vulnerability in Apache Tomcat is under active exploitation, just 30 hours after its public disclosure and the release of a PoC. The successful exploitation of CVE-2025-24813 gives adversaries the green light to remotely execute code on targeted systems by leveraging unsafe deserialization. Detect CVE-2025-24813 Exploitation Attempts With the sharp increase in […] The post CVE-2025-24813 Detection: Apache Tomcat RCE Vulnerability Actively Exploited in the Wild appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Apache Tomcat Remote Code Execution (RCE) Actively Exploited
## CVE Details
- CVE ID: CVE-2025-24813
- CVSS Score: Not explicitly provided, but the vulnerability leads to RCE and is actively exploited, implying **High** severity.
- CWE: Not explicitly provided in the summary text.
## Affected Systems
- Products: Apache Tomcat
- Versions:
- Versions 11.0.x prior to 11.0.35
- Versions 10.1.x prior to 10.1.35
- Versions 9.0.x prior to 9.0.99
- Versions 8.5.x prior to 8.5.101
- Versions 8.5.0 to 8.5.99 (Note: The text also mentions older versions explicitly: 10.0.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98, but the patched versions define the true scope.)
- Configurations: Standard installations of affected versions.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw affecting Apache Tomcat. While the specific technical mechanism (e.g., deserialization, path traversal) is not detailed in the excerpt, the result is the ability for an attacker to execute arbitrary code on the host server running Tomcat.
## Exploitation
- Status: **Exploited in the wild** (Observed by GreyNoise researchers).
- Complexity: Implied **Low to Medium** given the observed widespread exploitation attempts.
- Attack Vector: Likely **Network** (since it's an RCE vulnerability in a web server context).
## Impact
- Confidentiality: High (Likely leads to full system compromise)
- Integrity: High (Likely leads to full system compromise)
- Availability: High (Potential for denial of service or system disruption)
## Remediation
### Patches
Organizations must immediately update to one of the following fixed versions or higher:
- Apache Tomcat **11.0.35** or higher (Implied higher than 11.0.35 based on 11.0.3 or higher from the text)
- Apache Tomcat **10.1.35** or higher
- Apache Tomcat **9.0.99** or higher
- Apache Tomcat **8.5.101** or higher (Implied based on 8.5.x prior to 8.5.101)
### Workarounds
The article implies that immediate patching is the primary mitigation, but organizations unable to patch immediately should focus on reducing the attack surface and monitoring network traffic for indicators listed below.
## Detection
- Indicators of Compromise (IOCs): Exploitation attempts tracked by GreyNoise originate from various distinct IP addresses, targeting regions including the U.S., Japan, India, South Korea, and Mexico.
- Detection methods and tools: Security teams should utilize SIEM/XDR platforms to search for known patterns associated with known Tomcat RCE exploitation attempts, especially focusing on high-volume, suspicious network traffic directed at Tomcat servers. SOC Prime offers curated detection rules targeting this specific threat.
## References
- Vendor Advisory: [https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq] (Defanged)
- Exploitation Monitoring: [viz.greynoise.io/tags/apache-tomcat-partial-put-cve-2025-24813-rce-attempt?days=1] (Defanged)