Tomcat PUT to active abuse as Apache deals with critical RCE flaw

Source: Tomcat PUT to active abuse as Apache deals with critical RCE flaw | CSO Online Author: unknown URL: https://www.csoonline.com/article/3847956/tomcat-put-to-active-abuse-as-apache-deals-with-critical-rce-flaw.html

ONE SENTENCE SUMMARY:

A critical RCE vulnerability in Apache Tomcat (CVE-2025-24813) is actively exploited, allowing attackers to gain remote control via PUT requests.

MAIN POINTS:

  1. Apache Tomcat has a critical remote code execution (RCE) vulnerability (CVE-2025-24813) under active exploitation.
  2. Attackers use a public proof-of-concept (PoC) exploit just 30 hours after disclosure.
  3. Exploitation requires only a single PUT API request to compromise vulnerable servers.
  4. PUT requests appear normal and use base64 encoding to evade detection.
  5. The attack leverages Tomcat’s session persistence and partial PUT request handling.
  6. Malicious session files uploaded via PUT requests execute remote code upon deserialization.
  7. The attack is unauthenticated and works if Tomcat uses file-based session storage.
  8. Affected versions include Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0 M1 to 9.0.98.
  9. Fixed versions are 11.0.3 or later, 10.1.35 or later, and 9.0.99 or later.
  10. Attackers may soon escalate to uploading malicious JSP files and modifying configurations.

TAKEAWAYS:

  1. Organizations using vulnerable Tomcat versions should upgrade to fixed versions immediately.
  2. The attack method is simple, requiring no authentication for exploitation.
  3. Detecting the attack is difficult due to the normal appearance of PUT requests.
  4. Future attacks may involve broader abuse beyond session storage manipulation.
  5. Security teams should monitor for suspicious PUT requests and improve detection mechanisms.