FlagThis - #apachetomcat

A critical security vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE) and data leaks. The vulnerability stems from a path equivalence issue related to how Tomcat handles filenames with internal dots, particularly when writes are enabled for the default servlet and partial PUT support is enabled. This flaw could allow attackers to execute malicious code, disclose sensitive information, or inject malicious content into uploaded files.

Users of Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are advised to upgrade immediately to versions 11.0.3, 10.1.35, or 9.0.99 respectively, which include the necessary fixes. The vulnerability exists if an application uses Tomcat's file-based session persistence with the default storage location and includes a library susceptible to deserialization attacks, potentially leading to remote code execution. COSCo Shipping Lines DIC and sw0rd1ight are credited with discovering and reporting the vulnerability.


References :

• gbhackers.com: Apache Tomcat Flaw Could Allow RCE Attacks on Servers
• cR0w :cascadia:: Tomcat vulns are always fun, right? H/T: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
• buherator's timeline: [oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or ...
• Open Source Security: CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
• securityonline.info: CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
• buherator's timeline: Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE
• BleepingComputer: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request. [...]
• securityonline.info: Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
• securityaffairs.com: Threat actors rapidly exploit new Apache Tomcat flaw following PoC release
• infosecwriteups.com: CVE-2025–24813: Apache Tomcat Path Equivalence Vulnerability $$$$ BOUNTY
• The Hacker News: The Hacker News reports on Apache Tomcat Vulnerability Actively Exploited Just 30 Hours After Public Disclosure
• www.scworld.com: Apache Tomcat flaw actively exploited; could allow 'devastating' RCE
• bsky.app: Bsky Social - A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
• bsky.app: A critical remote code execution (RCE) vulnerability in Apache Tomcat tracked as CVE-2025-24813 is actively exploited in the wild, enabling attackers to take over servers with a simple PUT request.
• The Register - Software: One PUT request, one poisoned session file, and the server’s yours A trivial flaw in Apache Tomcat that allows remote code execution and access to sensitive files is said to be under attack in the wild within a week of its disclosure.

Classification:

• HashTags: #ApacheTomcat #RCE #Vulnerability
• Company: Apache
• Target: Apache Tomcat Servers
• Product: Tomcat
• Feature: Path Equivalence
• Malware: CVE-2025-24813
• Type: Vulnerability
• Severity: Critical

CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.

To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.


References :

• securityaffairs.com: U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog
• bishopfox.com: Tomcat CVE-2025-24813: What You Need to Know
• securityonline.info: CISA Flags Apache Tomcat CVE-2025-24813 as Actively Exploited with 9.8 CVSS
• fortiguard.fortinet.com: Apache Tomcat RCE

Classification:

• HashTags: #Cybersecurity #ApacheTomcat #Vulnerability
• Company: CISA
• Target: Federal Civilian Executive Branch (FCEB) agencies
• Product: Apache Tomcat
• Feature: Path Equivalence Vulnerability
• Malware: CVE-2025-24813
• Type: Vulnerability
• Severity: Major