IntroductionCVE-2025-24813 was originally published on March 10 with a medium severity score of 5.5, and Apache Tomcat released an update to fix it. On March 12, the first attack was detected in Poland by Wallarm researchers, even before a Proof-of-Concept (PoC) was made public. After the PoC was released on March 13 on GitHub and gained attention, the NVD raised the severity score to 9.8 (critical) on March 18.The vulnerability stems from a path equivalence issue where files containing an internal dot (e.g. file.Name) can lead to remote code execution (RCE), information disclosure, or malicious content injection if uploaded via a write-enabled default servlet in Apache Tomcat. Exploiting this vulnerability could allow attackers to take control of compromised servers, access sensitive data, and disrupt normal operations for an organization.RecommendationsZscaler ThreatLabz recommends users on Apache Tomcat software, upgrade to any of the following versions to avoid this vulnerability:Apache Tomcat 11.0.3 or laterApache Tomcat 10.1.35 or laterApache Tomcat 9.0.99 or laterAffected VersionsThe following versions of Apache Tomcat are affected by the vulnerability and should be updated immediately: Apache Tomcat 11.0.0-M1 to 11.0.2Apache Tomcat 10.1.0-M1 to 10.1.34Apache Tomcat 9.0.0-M1 to 9.0.98BackgroundApache Tomcat is an open-source, widely used Java-based web server and servlet container developed by the Apache Software Foundation. It serves as a platform for deploying web applications that use Java Servlets and JavaServer Pages (JSP).Threat actors have been observed attempting to exploit CVE-2025-24813 in the wild. No authentication is required for exploitation, and attackers can use Base-64 encoded payloads to avoid detection by traditional security systems. However, successful exploitation relies on specific configurations within the victim’s environment.Criteria for Assessing VulnerabilityYour environment is only vulnerable if ALL of the following conditions are true:For the DefaultServlet to allow PUT requests, the readonly parameter in conf/web.xml must be changed to false, as it is set to true by default.The server must have Partial PUT requests enabled, which is typically on by default, allowing attackers to manipulate uploaded files.Tomcat needs to be configured to use file-based session storage, which is not enabled by default, with session files saved in the standard storage location.The application must include deserialization libraries
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: