Critical Apache Tomcat Vulnerability Exposes Servers to Remote Code Execution

Credited by Freepik

VTA-004508 – Critical Apache Tomcat Vulnerability Exposes Servers to Remote Code Execution

A newly discovered remote code execution (RCE) vulnerability, CVE-2025-24813, has been found in Apache Tomcat, a widely used web application server. This flaw allows attackers to execute arbitrary code on affected systems without needing authentication, potentially giving them full control over the server. As Tomcat is commonly used in enterprise environments, this vulnerability poses a significant security risk. Threat actors have already begun exploiting the flaw, particularly targeting industries such as finance, healthcare, and government.

The issue arises from how Tomcat processes partial HTTP PUT requests, leading to a security gap that attackers can abuse. The affected versions include Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98. Exploitation involves sending specially crafted PUT requests that bypass security checks with base64 encoded Java payloads that become stored in session storage. These are then executed by sending a GET request with the JSESSIONID cookie pointing to the session storage file where the malicious payload is stored, ultimately allowing malicious code execution. Security researchers have published proof-of-concept exploits, and scanning for vulnerable servers has increased as a result.

To protect against this vulnerability, organizations should immediately update Tomcat to the latest patched version released by the Apache Software Foundation or mitigate this by reverting their servlet configuration to its default settings. Additional security measures include blocking suspicious HTTP requests, enabling detailed logging and monitoring, restricting the privileges of the Tomcat service account, and deploying web application firewalls (WAFs). Applying these fixes promptly is crucial to preventing unauthorized access and potential system compromise.

Severity:
Medium

Attack Surface:
Web Application

Tactics:
Execution, Initial Access, Persistence

Techniques:
T1190 – Exploit Public-Facing Application
T1059 – Command and Scripting Interpreter
T1203 – Exploitation for Client Execution
T1505 – Server Software Component

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/67d87d150372146770f678ed

References:
1. https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/

SuperPRO’s Threat Countermeasures Procedures: 
1. Apply the latest security patches for Apache Tomcat to address the RCE vulnerability.
2. Disable partial PUT support to prevent attackers from exploiting the vulnerability.
3. Isolate Tomcat servers from critical internal networks to limit lateral movement.
4. Restrict access to Tomcat management interfaces and enforce strong authentication mechanisms.
5. Deploy a WAF to filter malicious traffic targeting the Tomcat server.
6. Enable detailed logging and monitor for unusual activity, such as unexpected command execution or file uploads.
7. Run Tomcat with the minimum required privileges to reduce the impact of exploitation.

Contributed by: Tasneem