A just lately disclosed safety flaw impacting Apache Tomcat has come below lively exploitation within the wild following the discharge of a public proof-of-concept (PoC) a mere 30 hours after public disclosure.
The vulnerability, tracked as CVE-2025-24813, impacts the under variations –
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
It considerations a case of distant code execution or info disclosure when particular situations are met –
- Writes enabled for the default servlet (disabled by default)
- Assist for partial PUT (enabled by default)
- A goal URL for safety delicate uploads that could be a sub-directory of a goal URL for public uploads
- Attacker data of the names of safety delicate recordsdata being uploaded
- The safety delicate recordsdata are additionally being uploaded by way of partial PUT
Profitable exploitation might allow a malicious consumer to view safety delicate recordsdata or inject arbitrary content material into these recordsdata via a PUT request.
Moreover, an attacker might obtain distant code execution if all the next situations are true –
- Writes enabled for the default servlet (disabled by default)
- Assist for partial PUT (enabled by default)
- Utility was utilizing Tomcat’s file primarily based session persistence with the default storage location
- Utility included a library that could be leveraged in a deserialization assault
In an advisory launched final week, the mission maintainers stated the vulnerability has been resolved in Tomcat variations 9.0.99, 10.1.35, and 11.0.3.
However in a regarding twist, the vulnerability is already seeing exploitation makes an attempt within the wild, per Wallarm.
“This assault leverages Tomcat’s default session persistence mechanism together with its help for partial PUT requests,” the corporate stated.
“The exploit works in two steps: The attacker uploads a serialized Java session file by way of PUT request. The attacker triggers deserialization by referencing the malicious session ID in a GET request.”
Put in another way, the assaults entail sending a PUT request containing a Base64-encoded serialized Java payload that is written to Tomcat’s session storage listing, which subsequently will get executed throughout deserialization by sending a GET request with the JSESSIONID pointing to the malicious session.
Wallarm additionally famous that the vulnerability is trivial to take advantage of and requires no authentication. The one prerequisite is that Tomcat makes use of file-based session storage.
“Whereas this exploit abuses session storage, the larger difficulty is partial PUT dealing with in Tomcat, which permits importing virtually any file wherever,” it added. “Attackers will quickly begin shifting their techniques, importing malicious JSP recordsdata, modifying configurations, and planting backdoors outdoors session storage.”
Customers working affected variations of Tomcat are suggested to replace their situations as quickly as attainable to mitigate potential threats.
