A severe security vulnerability, identified as “CVE-2025-24813”, has been uncovered within Apache Tomcat. It is a cornerstone open-source technology powering countless Java-based web applications and servers worldwide. This newly disclosed flaw stems from the way Tomcat handles specific file paths, particularly those containing "internal dots" like "file.Name". Consequently, it could allow malicious actors to bypass existing security measures. Moreover, it could lead to devastating consequences, including remote code execution (RCE), unauthorized information access, and the injection of harmful content.

The vulnerability impacts a wide range of Tomcat versions: 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. In response to this critical discovery, the Apache Software Foundation has swiftly released patches, urging all users to upgrade to versions 11.0.3, 10.1.35, or 9.0.99 without delay.

Understanding the Exploit: A Path to Compromise

According to insights shared by Cyber Advising, the root of CVE-2025-24813 lies in a "path equivalence" issue within Tomcat default servlet. Under specific, albeit non-default, configurations, Tomcat can mishandle file uploads facilitated by HTTP PUT requests, opening a dangerous door for attackers.

Exploitation of this vulnerability is contingent on a combination of factors, including:

• Write-Enabled Default Servlet: The readonly parameter of the default servlet must be set to false, allowing write access.
• Enabled Partial PUT Requests: The server must permit partial PUT requests (via the Content-Range header), which is enabled by default.
• File-Based Session Persistence: Tomcat needs to be configured to store user sessions on the file system, rather than in memory or a database (a non-default setting).
• Vulnerable Deserialization Libraries: The application must contain libraries susceptible to deserialization attacks.
• Attacker Knowledge: The attacker needs prior knowledge of the naming conventions and locations of sensitive files on the server.

Unfolding the Attack Chain: From Upload to Remote Control

An attack typically unfolds in two key stages, such as:

Malicious Session File Upload: An attacker sends a crafted HTTP PUT request containing a malicious Java serialized payload, specifically targeting the server session storage directory. For instance:

Triggering Remote Code Execution: Following the upload, the attacker sends a GET request with a JSESSIONID cookie referencing the previously uploaded malicious session file:

When Tomcat attempts to deserialize this malicious session file, the embedded arbitrary code is executed with the privileges of the Tomcat process, granting the attacker control over the server.

Risk Assessment and Impact

While the vulnerability carries a critical CVSS score of 9.8/10, its exploitation does necessitate specific, non-default configurations – primarily a write-enabled default servlet and file-based session persistence. However, the cybersecurity community has already witnessed the public release of proof-of-concept (PoC) exploit code, with observed attacks occurring within a mere 30 hours of the vulnerability disclosure. This rapid weaponization significantly elevates the risk profile.

The potential impacts of a successful exploitation are severe and multifaceted, including:

• Complete remote code execution (RCE) on the server.
• Unauthorized access to sensitive files and data.
• Injection of harmful content into legitimate uploaded files.
• Corruption of critical server configuration files.
• Significant data breaches and potential for lateral movement within affected networks.

Have a look at the Risk Factor table below:

Urgent Recommendations for Mitigation

Given Tomcat pervasive use, immediate action is paramount to prevent widespread exploitation. Organizations are strongly advised to:

• Upgrade Apache Tomcat immediately to one of the patched versions: 11.0.3, 10.1.35, or 9.0.99.
• Maintain the default servlet readonly parameter at true, which prevents unauthorized write access via PUT requests.
• Disable partial PUT requests if they are not a functional requirement for your application.
• Avoid using file-based session persistence whenever possible. If unavoidable, ensure that writable directories are strictly segregated from session storage locations.
• Remove any unnecessary deserialization libraries from your application classpath to reduce the attack surface.

For organizations unable to upgrade immediately, it is crucial to implement all recommended configuration hardening steps and diligently monitor server logs for any unusual PUT requests or session-related activity.

In essence, CVE-2025-24813 represents a high-impact, easily exploitable vulnerability in Apache Tomcat. Despite requiring specific configurations, the availability of public exploit code and observed active scanning efforts make prompt patching and a comprehensive review of all Tomcat deployments critical.