Less than a week after the announcement of a vulnerability in Apache Tomcat, it is already being actively exploited.
The recently discovered vulnerability in Apache Tomcat made it possible to execute code remotely and gain access to sensitive files and install malware. The CVE-2025-24813 was revealed on March 10. According to security company Wallarm, an exploit was already distributed 30 hours later, causing it to be ‘actively exploited’.
Four Conditions
No authentication is required for the attack, making it easy for criminals to execute code on the Tomcat server. The advisory from Wallarm states that the exploitation occurs through storage. “Via a PUT request, where the attacker places a malicious session file on the server and encrypts it, they can then unlock the file and gain full access to the server.”
Apache itself marks the bug as ‘important’. The company also points out that the exploitation can only be done if four conditions are met. “Two default settings in Tomcat must be enabled: Write operations to the default servlet and support for partial PUT uploads. Additionally, a default storage location must be chosen for Tomcat’s files and a vulnerable library must be present.”
The vulnerability is present in Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. A temporary solution is to run Tomcat in ‘read-only’ mode.
read also