Threat Actors Rapidly Exploit New Apache Tomcat Flaw Following PoC Release
In a disturbing turn of events, threat actors have begun exploiting a recently disclosed Apache Tomcat vulnerability just 30 hours after the release of a public proof-of-concept (PoC) exploit code. The issue, tracked as CVE-2025-24813, is a path equivalence flaw that allows remote code execution or information disclosure if specific conditions are met.
The Vulnerability
The Apache Tomcat vulnerability affects multiple versions, including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Exploitation requires write-enabled default servlet, partial PUT support, and specific file handling conditions. The vulnerability was originally discovered by a Chinese forum user iSee857, who published the PoC exploit code.
How the Attack Works
The attack exploits Tomcat's session persistence and partial PUT requests by uploading a malicious Java session file and triggering deserialization via a GET request. "This attack is dead simple to execute and requires no authentication," warns Wallarm researchers. The only requirement is that Tomcat is using file-based session storage, which is common in many deployments.
Why the Attack is Challenging to Detect
The attack is challenging to detect because it uses base64 encoding to bypass most traditional security filters. "Worse, base64 encoding allows the exploit to evade pattern-based detection," concludes the advisory. Additionally, the payload of the attack occurs in two steps, with execution happening only during deserialization. Most Web Application Firewalls (WAFs) fail to detect this attack because the PUT request appears normal and lacks obvious malicious content.
Recommendations
Users are recommended to update their affected Tomcat versions immediately to mitigate potential threats. According to Wallarm researchers, "Attackers can hijack Apache Tomcat servers with a single PUT API request." The urgency of this issue should not be underestimated, as organizations may not even notice the breach until it's too late.
Conclusion
The rapid exploitation of the new Apache Tomcat flaw following PoC release highlights the importance of staying vigilant in today's threat landscape. As security experts continue to monitor the situation, users must prioritize updating their vulnerable systems to prevent potential attacks.