InfoSecBulletin Cybersecurity for mankind
CVE-2025-24813, a critical remote code execution vulnerability, is actively exploited, enabling attackers to control vulnerable Apache Tomcat servers with a single PUT API request, reports Wallarm.
The exploit, shared by a user on a Chinese forum, takes advantage of Tomcat’s default session persistence and its ability to handle partial PUT requests. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers,” the report emphasizes.
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
Alert
Trend Micro Apex One Flaw Allow Attackers to Inject Malicious Code
The attack unfolds in two steps:
The attacker uploads a harmful Java session file through a PUT request, saving it in Tomcat’s session storage directory.
An attacker can exploit a vulnerability by sending a GET request with a malicious JSESSIONID, triggering deserialization and executing embedded Java code.
This can be done by an unauthenticated attacker under certain conditions.
The application has servlet write enabled (disabled by default).
Tomcat uses file session persistence and a default storage location.
The application contains a deserialization exploitation library.
The report emphasizes how easy and dangerous this exploit is: “This attack is very simple to execute and requires no authentication.” The common use of file-based session storage in Tomcat deployments amplifies the risk.
The report highlights that base64 encoding enables exploits to evade standard security filters, complicating detection by Web Application Firewalls (WAFs). It explains that most WAFs fail to identify this type of attack because the PUT request appears normal, lacks evident malicious content, and is encoded in base64, making it hard to detect patterns. Additionally, the attack involves two steps, with the harmful part executing only during deserialization. Most WAFs do not thoroughly inspect uploaded files or monitor multi-step exploits.
The following versions of Apache Tomcat are impacted:
11.0.0-M1 <= Apache Tomcat <= 11.0.2
10.1.0-M1 <= Apache Tomcat <= 10.1.34
9.0.0.M1 <= Apache Tomcat <= 9.0.98
The following versions are unaffected:
Apache Tomcat >= 11.0.3
Apache Tomcat >= 10.1.35
Apache Tomcat >= 9.0.99
Users who can’t upgrade right away can implement these temporary measures:
Set the readonly parameter in the conf/web.xml file to true or comment it out (if it does not affect services).
Disable the PUT method and restart the Tomcat service
Set org.apache.catalina.session.PersistentManager to false
