CVE-2025-24813

Confirmed PUBLISHED

Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Apache Software Foundation · Apache Tomcat
Exploited in the wild PoC available

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
Confirmed
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
In CISA KEV
CVSS / EPSS
9.8 Critical EPSS 99.9%

At a Glance

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

nessus_scanner windows apache metasploit nuclei_scanner cisa
CVE Published
Mar 10, 2025
Exploitation Reported
Apr 01, 2025
CVSS
9.8 Critical
EPSS
99.9%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Apache Software Foundation
Apache Tomcat

11.0.0-M1 to <= 11.0.2

Affected
Apache Software Foundation
Apache Tomcat

10.1.0-M1 to <= 10.1.34

Affected
Apache Software Foundation
Apache Tomcat

9.0.0.M1 to <= 9.0.98

Affected
Apache Software Foundation
Apache Tomcat

8.5.0 to <= 8.5.100

Affected

CVE References

  • Apache Mailing List lists.apache.org · Vendor Advisory https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.