CVE-2025-24813 - [KEV] - CVSS 9.8

Overview

CVE-2025-24813 is a critical path equivalence vulnerability in Apache Tomcat that enables unauthenticated remote attackers to achieve remote code execution, disclose sensitive information, or inject malicious content through a crafted partial PUT request. The flaw stems from inconsistent handling of file paths when Tomcat processes partial PUT uploads, allowing an attacker to write files to locations that bypass intended access controls. Under specific configurations—where the default servlet has write enabled (readonly=false), partial PUTs are supported, file-based session persistence is in use with a session storage location accessible via uploads, and the application includes a deserialization-vulnerable library on its classpath—the vulnerability is escalated to unauthenticated RCE via Java session deserialization.

The CVSS base score is 9.8 (Critical), and the EPSS score of 0.942 reflects an extremely high likelihood of exploitation in the wild. CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on April 1, 2025, confirming active in-the-wild abuse.

Affected Products

• Apache Tomcat – impacted versions include 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Fixed in 11.0.3, 10.1.35, and 9.0.99.
• Debian Linux – distributions shipping affected Tomcat packages.
• NetApp Bootstrap OS – bundled Tomcat component.
• NetApp HCI Compute Node – bundled Tomcat component.

Exploitation Evidence

• A public proof-of-concept exploit titled "Apache Tomcat 11.0.3 - Remote Code Execution" is published on Exploit-DB, providing a working attack chain.
• The exploitation pattern observed in the wild involves a two-stage HTTP request: first, a partial PUT writes a serialized Java payload into Tomcat’s session storage directory (e.g., as a .session file under a path the servlet treats as equivalent); second, a GET request with a manipulated JSESSIONID cookie referencing the uploaded session triggers deserialization and arbitrary code execution.
• Inclusion in CISA KEV (added 2025-04-01) confirms active exploitation against production systems.

ATT&CK Mapping

No formal ATT&CK mappings are present in the database, but the observed exploitation behavior aligns with the following techniques:

• T1190 – Exploit Public-Facing Application: Initial access via an internet-exposed Tomcat instance.
• T1505.003 – Server Software Component: Web Shell: Attackers can stage persistent payloads through file write primitives.
• T1059 – Command and Scripting Interpreter: Post-deserialization command execution in the Tomcat JVM context.
• T1203 – Exploitation for Client Execution / Deserialization Abuse: Leveraging vulnerable gadget chains on the classpath to execute code during session deserialization.

Threat Actor Context

No specific threat actor attribution is available in the database at this time. However, given the trivial exploitability, public PoC availability, EPSS above 0.94, and KEV listing, exploitation is expected from a broad range of actors including opportunistic botnet operators, cryptominers, initial access brokers, and ransomware affiliates targeting exposed Java application servers.

Recommended Actions

• Patch immediately to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99 or later. Apply vendor-specific updates from Debian and NetApp as they become available.
• Disable HTTP PUT on the default servlet by ensuring readonly is set to true (the default) in conf/web.xml. Do not enable write access on internet-facing instances.
• Avoid file-based session persistence (PersistentManager with FileStore) in environments where uploads cannot be tightly controlled; prefer in-memory or database-backed session stores.
• Audit classpath dependencies for known deserialization gadget chains (e.g., Commons Collections, Commons BeanUtils) and remove or upgrade vulnerable libraries.
• Inspect logs for anomalous PUT requests, especially those targeting paths under session storage directories or containing path traversal/equivalence patterns (e.g., trailing dots, alternate separators). Review GET requests with unusual JSESSIONID values.
• Deploy WAF rules to block or alert on partial PUT requests (those containing Content-Range headers) to Tomcat endpoints where uploads are not legitimately required.
• Restrict network exposure of Tomcat management and application endpoints to trusted networks; place behind authenticated reverse proxies where feasible.
• Hunt for compromise: search for unexpected .session files, anomalous Tomcat child processes, outbound connections from the Tomcat JVM, and newly written JSPs or webshells under deployed webapp directories.
• Comply with CISA KEV remediation timelines for federal civilian executive branch agencies and treat as priority for all organizations.