The Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Apache Tomcat, known as CVE-2025-24813, which is actively being exploited. This serious flaw, graded with a CVSS score of 9.8, stems from a path equivalence issue allowing remote attackers to execute arbitrary code, access sensitive data, or inject harmful content in unpatched versions of Apache Tomcat.
The vulnerability originates from improper handling of partial PUT requests, enabling unauthenticated attackers to execute remote code through a well-constructed attack chain. Though not universally exploitable, the attack becomes simpler under certain conditions according to Wallarm researchers. The issue affects Apache Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Additionally, versions 8.5.x from 8.5.0 to 8.5.98, and 8.5.100 are also vulnerable.
Attackers exploit this vulnerability by sending a PUT request with a Base64-encoded serialized Java payload, followed by a GET request with a manipulated “JSESSIONID” cookie, which triggers deserialization and remote code execution. Key conditions for this attack include enabling the default servlet with write permissions, allowing partial PUT requests, using file-based session persistence, and having a deserialization-vulnerable library.
CISA has added CVE-2025-24813 to its Known Exploited Vulnerabilities Catalog. By April 22, Federal Civilian Executive Branch agencies must address this issue in compliance with Binding Operational Directive 22-01. Although the directive targets federal agencies, all organizations are advised to update to the latest patched versions (9.0.99, 10.1.35, or 11.0.3) to reduce exposure.
To mitigate this risk, organizations should disable unnecessary HTTP methods, enforce strong access controls, deploy Web Application Firewalls (WAFs), and implement continuous monitoring. Should patching be unfeasible immediately, disabling write permissions on the default servlet offers temporary protection.
Summarizing, the critical vulnerability in Apache Tomcat requires immediate attention due to its high potential for exploitation. Cybersecurity experts urgently recommend patching affected systems and adopting additional security measures to prevent potential threats. This vulnerability highlights the ongoing need for proactive cybersecurity measures and timely updates.
