A severe remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2025-24813, is actively exploited in the wild, allowing attackers to gain server control using a simple PUT request. Review the details in this Cybersecurity Threat Advisory to learn how to mitigate your risks.
What is the threat?
The Apache Tomcat vulnerability (CVE-2025-24813) arises from how the server handles file paths during partial PUT requests. When a file is uploaded, Tomcat creates a temporary file and replaces path separators (such as ‘/’ or ‘\’) with dots (‘.’). For example, an upload attempt to uploads/malicious/file.txt could create a file named uploads.malicious.file.txt.
While this method was designed to prevent path traversal attacks, it inadvertently creates a new vulnerability. Attackers can exploit this flaw by crafting filenames with dots, allowing them to bypass security measures and potentially manipulate or access files in unintended locations.
How the attack works:
- Malicious session file upload: The attacker uploads a specially crafted session file using a PUT request. They manipulate the filename and path to place the file in an accessible location.
- Triggering deserialization: The attacker sends a GET request with the malicious session ID, causing the server to load the file. This can lead to remote code execution on the server.
This vulnerability impacts the following versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
Why is this noteworthy?
This vulnerability is considered critical due to the potential for severe consequences, including unauthorized access, data breaches, or compromise of data integrity. In the worst-case scenario, it could enable attackers to execute malicious code on the server—particularly if Tomcat’s default file-based session settings are enabled and the application is vulnerable to deserialization issues.
What is the exposure or risk?
Apache Tomcat is an open-source application server for hosting web applications in both development and production environments. Given its extensive use across organizations, ensuring its security is essential. This particular vulnerability was actively exploited just 30 hours after a proof of concept was made public.
What are the recommendations?
Barracuda recommends the following actions to mitigate risks from this vulnerability:
- Update Apache Tomcat to a secure version: Apache Tomcat 9.0.99 or later, Apache Tomcat 10.1.35 or later, Apache Tomcat 11.0.3 or later
- Take these steps to reduce risk if an immediate update is unavailable:
- Disable partial PUT requests: Modify the allowPartialPut setting in conf/web.xml and set it to false, then restart Tomcat.
- Disable write permissions for DefaultServlet: Ensure that the read-only attribute is true in the DefaultServlet configuration.
- Restrict sensitive file locations: Avoid placing sensitive files in subdirectories of public upload paths to prevent unauthorized access.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
- https://xmcyber.com/blog/cve-2025-24813-critical-apache-tomcat-vulnerability-already-being-exploited-patch-now/
- https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
