CVE-2025-24813
Confirmed PUBLISHEDApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
- CVE Published
- Mar 10, 2025
- Exploitation Reported
- Apr 01, 2025
- CVSS
- 9.8 Critical
- EPSS
- 99.9%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Apache Software Foundation |
Apache Tomcat
|
11.0.0-M1 to <= 11.0.2 |
Affected |
| Apache Software Foundation |
Apache Tomcat
|
10.1.0-M1 to <= 10.1.34 |
Affected |
| Apache Software Foundation |
Apache Tomcat
|
9.0.0.M1 to <= 9.0.98 |
Affected |
| Apache Software Foundation |
Apache Tomcat
|
8.5.0 to <= 8.5.100 |
Affected |
CVE References
- Apache Mailing List lists.apache.org · Vendor Advisory https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2025-04-01 00:00 UTC |
| The Shadowserver | 2026-07-05 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24813.yaml | Apr 25, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_partial_put_deserialization.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2025-04-01 00:00:00 UTC · CISA
Proof of concept available
Recorded 2025-03-28 09:44:28 UTC · GitHub
Weaknesses (CWE)
-
Path Equivalence: 'file.name' (Internal Dot)
-
Deserialization of Untrusted Data
-
Use of Incorrectly-Resolved Name or Reference
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nessus | https://www.tenable.com/plugins/nessus/237016 | Jun 02, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_partial_put_deserialization.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-24813.yaml | Apr 25, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2025-04-27 13:50:24 UTC · 0 stars
Proof of Concept (PoC) script for CVE-2025-24813, vulnerability in Apache Tomcat.
github · Created 2025-04-18 11:03:33 UTC · 2 stars
CVE-2025-24813的vulhub环境的POC脚本
github · Created 2025-04-12 19:12:39 UTC · 1 stars
CVE-2025-24813-Scanner is a Python-based vulnerability scanner that detects Apache Tomcat servers vulnerable to CVE-2025-24813, an arbitrary file upload vulnerability leading to remote code execution (RCE) via insecure PUT method handling and jsessionid exploitation.
github · Created 2025-04-12 17:38:02 UTC · 1 stars
A Python proof-of-concept exploit for CVE-2025-24813 - Unauthenticated RCE in Apache Tomcat (v9.0.0-9.0.98/10.1.0-10.1.34/11.0.0-11.0.2) via malicious Java object deserialization. Includes safe detection mode and custom payload support.
github · Created 2025-04-10 14:49:14 UTC · 7 stars
CVE-2025-24813 poc
github · Created 2025-04-09 15:20:32 UTC · 0 stars
A simple, easy-to-use POC for CVE-2025-42813 (Apache Tomcat versions below 9.0.99).
github · Created 2025-04-08 14:52:37 UTC · 0 stars
github · Created 2025-04-07 22:43:56 UTC · 0 stars
Hello researchers, I have a checker for the recent vulnerability CVE-2025-24813-checker.
github · Created 2025-04-07 16:17:06 UTC · 0 stars
github · Created 2025-04-06 19:36:48 UTC · 0 stars
CVE-2025-24813-POC JSP Web Shell Uploader
github · Created 2025-04-05 18:57:08 UTC · 30 stars
github · Created 2025-04-05 09:07:13 UTC · 3 stars
simple exp for CVE-2025-24813
github · Created 2025-03-31 19:01:28 UTC · 0 stars
github · Created 2025-03-30 09:39:45 UTC · 0 stars
This repository contains a shell script based POC on Apache Tomcat CVE-2025-24813. It allow you to easily test the vulnerability on any version of Apache Tomcat
github · Created 2025-03-28 09:44:28 UTC · 1 stars
Create lab for CVE-2025-24813
github · Created 2025-03-22 15:16:41 UTC · 1 stars
A PoC for CVE-2025-24813
github · Created 2025-03-21 18:05:27 UTC · 1 stars
CVE-2025-24813 Apache Tomcat RCE Proof of Concept (PoC)
github · Created 2025-03-20 22:52:00 UTC · 0 stars
POC for CVE-2025-24813 using Spring-Boot
github · Created 2025-03-19 14:32:01 UTC · 0 stars
Apache Tomcat Vulnerability POC (CVE-2025-24813)
github · Created 2025-03-18 08:42:12 UTC · 5 stars
Apache Tomcat Remote Code Execution (RCE) Exploit - CVE-2025-24813
github · Created 2025-03-17 22:39:38 UTC · 2 stars
Nuclei Template CVE-2025–24813
github · Created 2025-03-17 03:58:34 UTC · 2 stars
CVE-2025-24813 - Apache Tomcat Vulnerability Scanner
github · Created 2025-03-14 07:36:58 UTC · 110 stars
his repository contains an automated Proof of Concept (PoC) script for exploiting **CVE-2025-24813**, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an attacker to upload a malicious serialized payload to the server, leading to arbitrary code execution via deserialization when specific conditions are met.
github · Created 2025-03-13 10:00:03 UTC · 82 stars
Apache Tomcat 远程代码执行漏洞批量检测脚本(CVE-2025-24813)
nuclei · Created Unknown
metasploit · Created Unknown
Metasploit module for CVE-2025-24813
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC 13 days ago00:00 UTC · 13 days ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
09:39 UTC about 1 year ago09:39 UTC · about 1 year ago
Nessus plugin available
Scanner coverage available
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
00:00 UTC over 1 year ago00:00 UTC · over 1 year ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
09:44 UTC over 1 year ago09:44 UTC · over 1 year ago
Public PoC available
Public proof-of-concept code published
-
16:44 UTC over 1 year ago16:44 UTC · over 1 year ago
CVE published
Vulnerability disclosed publicly
-
08:51 UTC over 1 year ago08:51 UTC · over 1 year ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2025-24813
{
"cve_id": "CVE-2025-24813",
"title": "Apache Tomcat: Potential RCE and/or information disclosure and/or information...",
"affected_vendor": "Apache Software Foundation",
"affected_product": "Apache Tomcat",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": 0.99945,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}