Member-only story
Attack Chain Analysis: Apache Tomcat Vulnerability (CVE-2025–24813) Exploited in the Wild
Cyber-AppSec
Follow · 3 min read · Mar 17, 2025
1
Listen
Share
On March 17, 2025, cybersecurity researchers reported active exploitation of a critical remote code execution (RCE) and information disclosure vulnerability in Apache Tomcat (CVE-2025–24813). Just 30 hours after public disclosure, attackers began leveraging a publicly available proof-of-concept (PoC) to compromise vulnerable systems.
The flaw affects multiple Tomcat versions and allows unauthenticated attackers to either read security-sensitive files or execute arbitrary code under specific conditions. Exploitation hinges on Tomcat’s partial PUT request handling and session persistence mechanism, making it a high-risk vulnerability for organizations using affected versions.
Below is an analysis of the attack chain and methods employed by attackers.
1. Initial Access — Identifying Vulnerable Targets
Attackers scan for publicly accessible Apache Tomcat servers running affected versions (9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, 11.0.0-M1 to 11.0.2).
Exploitation requires partial PUT support enabled (enabled by default).
Attackers check if writes are enabled for the default servlet (disabled by default). CSD0tFqvECLokhw9aBeRqrwTEtKAgZr3is/psY/zBV3D4L1nCg8TmBFLCVeBgGXp85zzuagEnl3sM/C7H3Av3/dd+KO7kSZzCH1Sn9pZQWecXYrxH/UGDxAj8H+BWrNHTBGkN8teJyvLvENEzZx/RHBxTY6BIRf5fsaWIamWiac31Xbp7H0Tl/tjUD/izKUg
