External risk intelligence

Apache Tomcat Remote Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2025-24813

A vulnerability in Apache Tomcat allows attackers to execute code, disclose information, or tamper with uploaded files. This impacts organizations by enabling remote code execution and unauthorized data access. The risk arises from specific configurations enabling write access and partial PUT requests. Organizations sh

4Halo Surface Signal

Deserialization

Apache Tomcat

before 9.0.9910.1.1 to before 10.1.3511.0.1 to before 11.0.310.1.011.0.011.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-24813

Apache Tomcat is a widely deployed, industry-standard web application server frequently used as an internet-facing service or edge component. While the vulnerability requires specific configuration conditions—such as enabled write access and specific deployment patterns—the software's primary role as a web and application gateway makes public exposure common in real-world environments.

Horizon Alert

Summary of the vulnerability and why it matters

A path equivalence vulnerability exists in the Apache Tomcat Default Servlet. This flaw permits attackers to execute arbitrary code, disclose sensitive information, or modify uploaded files. This occurs when specific configurations are present, such as write access being enabled for the default servlet and support for partial PUT requests.

Vulnerable component: Apache Tomcat Default Servlet
Core weakness: Improper path validation with internal dots
Main business impact: Remote code execution, data disclosure/tampering

Attack Path

How an attacker could exploit the issue

The described vulnerability in Apache Tomcat allows an attacker to gain control over a system. This can lead to remote code execution, unauthorized access to sensitive files, or the injection of malicious content into uploaded files. The attack leverages a path equivalence flaw within the default servlet, particularly when certain configurations, such as enabled writes and support for partial PUT requests, are in place. If file-based session persistence is also used with specific libraries, the risk of remote code execution increases.

Exposed writes to the default servlet.
Attacker knowledge of sensitive filenames.
Attacker performs a partial PUT request.
Attacker achieves code execution or data compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Apache Tomcat allows for remote code execution or information disclosure. Exploitation requires specific configurations, including enabled write access for the default servlet and support for partial PUT requests. The potential for attackers to gain control of systems or access sensitive data presents a significant business risk. Organizations using affected versions should prioritize addressing this issue.

Likely attacker skill level: Low
Required access or conditions: Specific configurations enabled
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Apache Tomcat could allow unauthorized access to sensitive files, modification of uploaded content, or remote code execution under specific configuration conditions. Organizations should prioritize identifying all instances of the affected software, implementing measures to reduce potential exposure, applying vendor-provided updates, and verifying the successful application of fixes. Continuous monitoring for related suspicious activities is also recommended to detect any residual or emergent threats.

Identify all Apache Tomcat assets.
Restrict default servlet write access.
Upgrade Tomcat, verify fixes, monitor.

Frequently asked questions

What is Apache Tomcat and what is it used for?

Apache Tomcat is a widely used open-source web application server that implements Java Servlet, JSP, and other Java technologies. It serves as the runtime environment for many Java-based web applications, allowing them to run and be accessed over the internet.

What is CVE-2025-24813? How does it affect Apache Tomcat?

CVE-2025-24813 is a path equivalence vulnerability in Apache Tomcat's Default Servlet. It can lead to remote code execution, information disclosure, or the malicious modification of uploaded files. This occurs when specific configuration settings, like enabled write access for the default servlet and support for partial PUT requests, are active.

How can an attacker exploit this Apache Tomcat vulnerability?

Exploitation requires several conditions: writes must be enabled for the default servlet, partial PUT requests must be supported, and there must be a specific relationship between URLs for security-sensitive and public uploads. If session persistence with default storage and a vulnerable deserialization library are also present, remote code execution is possible. The vulnerability is NOT triggered if writes are disabled for the default servlet.

Who should be concerned about CVE-2025-24813?

Organizations running Apache Tomcat should be concerned, particularly if their Tomcat instances are internet-facing. Halo Surface Signal indicates this software is often exposed to the public internet, increasing the potential impact of this vulnerability.

What is the first step to address this Apache Tomcat vulnerability?

The recommended first step is to upgrade Apache Tomcat to a patched version. Specific recommendations include upgrading to version 11.0.3, 10.1.35, or 9.0.99, as these versions contain fixes for the vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.