Tuesday , March 18 2025
Apache Tomcat

CVE-2025-24813
Apache Tomcat Flaw Exploited In The Wild

CVE-2025-24813, a critical remote code execution vulnerability, is actively exploited, enabling attackers to control vulnerable Apache Tomcat servers with a single PUT API request, reports Wallarm.

The exploit, shared by a user on a Chinese forum, takes advantage of Tomcat’s default session persistence and its ability to handle partial PUT requests. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers,” the report emphasizes.

CVE-2025-24813
Apache Tomcat Flaw Exploited In The Wild

CVE-2025-24813, a critical remote code execution vulnerability, is actively exploited, enabling attackers to control vulnerable Apache Tomcat servers with a...
Read More
CVE-2025-24813  Apache Tomcat Flaw Exploited In The Wild

B1nary_Band1ts secure first for “MIST CyberTron 2025”

MIST Cyber Security Club hosted an exciting MIST CyberTron 2025, featuring a CTF competition, hacking sessions, live demonstrations, and real-world...
Read More
B1nary_Band1ts secure first for “MIST CyberTron 2025”

CVE-2025-24016
Critical RCE vulnerability affects Wazuh

Cybersecurity researchers unveil a critical remote code execution vulnerability (CVE-2025-24016) in Wazuh, a popular open-source SIEM platform. The vulnerability has...
Read More
CVE-2025-24016  Critical RCE vulnerability affects Wazuh

AWS SNS misused for Data Exfiltration and Phishing

A recent report from Elastic reveals that threat actors misuse Amazon Web Services (AWS) Simple Notification Service (SNS) for malicious...
Read More
AWS SNS misused for Data Exfiltration and Phishing

Researcher found non protected database form ESHYFT containig 86000 records

Cybersecurity researcher Jeremiah Fowler found and reported a non-password-protected database with over 86,000 records belonging to ESHYFT, a New Jersey-based...
Read More
Researcher found non protected database form ESHYFT containig 86000 records

CVE-2024-55591 and CVE-2025-24472
New SuperBlack ransomware exploits Fortinet flaws

Forescout Research- Vedere Labs identified a series of intrusion based on two Fortinet vulnerabilities which began with the exploitation of...
Read More
CVE-2024-55591 and CVE-2025-24472  New SuperBlack ransomware exploits Fortinet flaws

CVE-2025-25291 & CVE-2025-25292
Attention! GitLab Patched Critical Authentication Bypass Flaws

GitLab has released versions 17.9.2, 17.8.5, and 17.7.7 for its Community and Enterprise Editions to fix security vulnerabilities, including a...
Read More
CVE-2025-25291 & CVE-2025-25292  Attention! GitLab Patched Critical Authentication Bypass Flaws

CVE-2025-20138
Cisco released High Security Alert for IOS XR Software

Cisco has issued a security advisory for a high-severity vulnerability in its IOS XR Software, labeled CVE-2025-20138, with a CVSS...
Read More
CVE-2025-20138  Cisco released High Security Alert for IOS XR Software

400+ IPs Exploiting Multiple SSRF Vulnerabilities

GreyNoise warns of a coordinated increase in the exploitation of Server-Side Request Forgery (SSRF) vulnerabilities across various platforms. "At least...
Read More
400+ IPs Exploiting Multiple SSRF Vulnerabilities

NVIDIA has released update for NVIDIA Riva

NVIDIA has released a software update for Riva to fix security vulnerabilities that could allow privilege escalation, data tampering, denial...
Read More
NVIDIA has released update for NVIDIA Riva

The attack unfolds in two steps:

The attacker uploads a harmful Java session file through a PUT request, saving it in Tomcat’s session storage directory.

An attacker can exploit a vulnerability by sending a GET request with a malicious JSESSIONID, triggering deserialization and executing embedded Java code.

This can be done by an unauthenticated attacker under certain conditions.

The application has servlet write enabled (disabled by default).
Tomcat uses file session persistence and a default storage location.
The application contains a deserialization exploitation library.

The report emphasizes how easy and dangerous this exploit is: “This attack is very simple to execute and requires no authentication.” The common use of file-based session storage in Tomcat deployments amplifies the risk.

The report highlights that base64 encoding enables exploits to evade standard security filters, complicating detection by Web Application Firewalls (WAFs). It explains that most WAFs fail to identify this type of attack because the PUT request appears normal, lacks evident malicious content, and is encoded in base64, making it hard to detect patterns. Additionally, the attack involves two steps, with the harmful part executing only during deserialization. Most WAFs do not thoroughly inspect uploaded files or monitor multi-step exploits.

The following versions of Apache Tomcat are impacted:

11.0.0-M1 <= Apache Tomcat <= 11.0.2
10.1.0-M1 <= Apache Tomcat <= 10.1.34
9.0.0.M1 <= Apache Tomcat <= 9.0.98
The following versions are unaffected:

Apache Tomcat >= 11.0.3
Apache Tomcat >= 10.1.35
Apache Tomcat >= 9.0.99

Users who can’t upgrade right away can implement these temporary measures:

Set the readonly parameter in the conf/web.xml file to true or comment it out (if it does not affect services).
Disable the PUT method and restart the Tomcat service
Set org.apache.catalina.session.PersistentManager to false

Check Also

SuperBlack

CVE-2024-55591 and CVE-2025-24472
New SuperBlack ransomware exploits Fortinet flaws

Forescout Research- Vedere Labs identified a series of intrusion based on two Fortinet vulnerabilities which …

Leave a Reply

Your email address will not be published. Required fields are marked *