TLP: CLEAR
CanSSOC Threat Assessment ^[*]: SEVERE

1. Summary
2. Details
3. Recommendations
4. References

On March 17, 2025, CanSSOC became aware of a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813 [1,2]. This vulnerability allows unauthenticated attackers to achieve full system compromise by exploiting partial PUT request handling and file-based session storage in affected Tomcat versions. The flaw is currently being actively exploited in the wild.

Public proof-of-concept (PoC) [3] exploits were released on GitHub within 30 hours of disclosure, significantly accelerating attacks. The exploitation method involves sending a PUT request with a base64-encoded Java payload, which is stored in Tomcat’s session storage. The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, triggering deserialization and remote code execution.

The attack is possible under the following vulnerable conditions:

• Partial PUT request support is enabled (default setting in Tomcat).
• Writes are enabled for the default servlet readonly= “false” (disabled by default but manually configurable).
• Security sensitive files are stored in a subdirectory of a public upload directory.
• The attacker knows the filenames of sensitive files being uploaded via partial PUT requests.

Security researchers have reported that traditional security tools may struggle to detect this attack due to obfuscation techniques, such as base64 encoding. Furthermore, they caution that new attack variants may soon emerge, including malicious JSP file uploads, configuration manipulation, and the installation of persistent backdoors.

• CVE: CVE-2025-24813.
• Impacted version(s): See advisory.
• Fixed version(s): See advisory.
• Active exploitation: There are reports of active exploitation in the wild.

• Ensure that all systems are running the latest security patches and are up to date.
• Disable Partial PUT Requests and Restrict File Upload Locations.
• Revert to Default Servlet Settings
  • Set readonly=”true” in the default servlet configuration to prevent unauthorized modifications.

1. [SECURITY] CVE-2025-24813 Potential RCE and/or information disclosure and/or information corruption with partial PUT | Apache
2. Critical RCE flaw in Apache Tomcat actively exploited in attacks | Bleeping Computer
3. CVE-2025-24813 Apache Tomcat RCE PoC | GitHub

[*] The CanSSOC Threat Assessment has the following four scores: LOW, MEDIUM, HIGH, SEVERE.