Apache Tomcat Vulnerability Under Attack Just 30 Hours After Disclosure

A newly revealed flaw in Apache Tomcat, dubbed CVE-2025-24813, is already being exploited in the wild—less than two days after a public proof-of-concept (PoC) dropped. Disclosed only 30 hours ago, this vulnerability has cybersecurity experts sounding the alarm as attackers waste no time targeting unpatched systems.

Which Versions Are at Risk?

The flaw affects the following Apache Tomcat releases:
11.0.0-M1 to 11.0.2

10.1.0-M1 to 10.1.34

9.0.0-M1 to 9.0.98

What’s the problem?

CVE-2025-24813 opens the door to remote code execution (RCE) or sensitive information disclosure under specific conditions:
Default servlet write access is enabled (disabled by default).

Partial PUT support is active (enabled by default).

A security-sensitive upload URL is a subdirectory of a public upload URL.

The attacker knows the names of sensitive files being uploaded.

Those files are uploaded via partial PUT requests.

If exploited, attackers can peek at confidential files or inject malicious content using a simple PUT request. But it gets worse—full-blown RCE is possible if:
The app uses Tomcat’s default file-based session persistence.

A vulnerable library is present for a deserialization attack.

Fixes Are Out, But Attacks Are Already Here

The Tomcat team patched this flaw in versions 9.0.99, 10.1.35, and 11.0.3, as announced in an advisory last week. Yet, cybersecurity firm Wallarm reports active exploitation attempts in the wild. “This attack hijacks Tomcat’s session persistence and partial PUT features,” Wallarm explained.

How the Exploit Works
The attack unfolds in two slick moves:
The attacker sends a PUT request with a Base64-encoded serialized Java payload, planting it in Tomcat’s session storage directory.

A follow-up GET request, using a crafted JSESSIONID, triggers deserialization—executing the malicious code.

What’s alarming? It’s dead simple to pull off—no authentication required. The only catch is that Tomcat must use file-based session storage. Wallarm warns, “Partial PUT handling lets attackers upload almost anything anywhere. Soon, they’ll pivot to dropping malicious JSP files, tweaking configs, or planting backdoors beyond session storage.”

Why It’s a Big Deal

This isn’t just a session storage glitch—it’s a flaw in how Tomcat processes partial PUTs, making it a goldmine for attackers. With a public PoC out there, exploitation is trivial and likely to spike fast.

What Should You Do?
If you’re running an affected Tomcat version, update to 9.0.99, 10.1.35, or 11.0.3 immediately. Don’t wait—attackers are already on the move.
Enjoyed this deep dive? Follow us on Twitter and LinkedIn for more exclusive cybersecurity insights!