A rapidly exploited vulnerability with a major blast radius
A recently disclosed vulnerability in Apache Tomcat, CVE-2025-24813, is drawing significant attention due to its ease of exploitation, rapid adoption by attackers, and widespread usage across enterprise environments. This vulnerability is a blend of path traversal issues and deserialization flaws, potentially allowing for remote code execution (RCE) or the exfiltration of sensitive data.
At Sonatype, we analyzed data from Maven Central and found a concerning trend: over the past three months, vulnerable versions of Apache Tomcat were downloaded three times more often than the safe versions. This widespread adoption of outdated and insecure versions significantly increases the attack surface for malicious actors.
Let's examine the key details of this vulnerability, its exploitation timeline, and why this attack is particularly difficult to detect.
Understanding the Apache Tomcat vulnerability
CVE-2025-24813 is particularly concerning because it allows attackers to achieve RCE with a single unauthenticated PUT request, followed by a GET request to trigger deserialization. This vulnerability impacts versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. Project maintainers said the vulnerability has been resolved in Tomcat versions 9.0.99, 10.1.35, and 11.0.3.
The attack exploits Apache Tomcat's default session persistence mechanism and partial PUT support, which are commonly enabled in many deployments. The flaw highlights the risks of improper handling of path equivalence and serialized data, making it both high-impact and easy to exploit.
As Sonatype's Vice President of Sales Engineering, Mitun Zavery, explains the core issue:
"The Apache Tomcat vulnerability is a notable blend of path traversal issues and deserialization flaws that could allow RCE or exfiltration of sensitive data. What makes this vulnerability stand out is its minimal prerequisites, ease of exploitation, and rapid exploitation timeline. Attackers only need access to a writable directory and knowledge of vulnerable configurations, like file-based session storage, to launch an attack."
Once an attack is initiated, adversaries can upload malicious files using seemingly legitimate PUT requests, bypassing traditional security tools.
CVE-2025-24813 stands out due to its minimal prerequisites, ease of exploitation, and rapid adoption by attackers. An attacker only needs access to a writable directory and knowledge of vulnerable configurations, such as file-based session storage, to initiate an attack. The lack of authentication requirements makes exploitation particularly simple, as the attack leverages legitimate-looking PUT requests to upload malicious files. This method significantly complicates detection for traditional security tools.
Exploitation moved swiftly, with proof-of-concept (PoC) exploits becoming publicly available within 30 hours of disclosure, leading to widespread attacks. The attack unfolds in two distinct steps — first, uploading the payload and then triggering deserialization — making it harder for pattern-based detection systems to recognize. Additionally, many attack payloads are obfuscated using base64 encoding, allowing them to bypass traditional security filters with ease.
Exploitation happened within hours
One of the most alarming aspects of this vulnerability is the speed of its exploitation.
According to publicly available information:
-
An advisory was published on March 10, 2025.
-
An exploit proof-of-concept (PoC) was made publicly available on March 14, 2025.
-
Within 30 hours of disclosure, active attacks were observed in the wild.
The speed at which attackers moved to exploit CVE-2025-24813 is striking but not surprising. The vulnerability's ease of exploitation made it an attractive target for opportunistic attackers. Minimal technical expertise or infrastructure was needed to execute the attack, which contributed to its rapid adoption.
Another driving factor was the public availability of a PoC exploit on GitHub, which emerged shortly after disclosure. This immediately lowered the barrier for exploitation, allowing a broader range of attackers to take advantage of the flaw. Finally, Apache Tomcat's widespread use in enterprise environments made this vulnerability particularly enticing for attackers looking to gain unauthorized access or establish persistent backdoors in high-value systems.
Attacker behavior insights
Shortly after public disclosure and the release of a proof-of-concept, security researchers observed active scanning and exploitation of CVE-2025-24813 by various threat actors. Internet-wide scanning activity originating from multiple countries began targeting Tomcat servers, attempting to identify vulnerable deployments and upload serialized payloads. In some cases, payloads were observed attempting to establish remote shells or deploy web-based backdoors.
This activity targeted enterprise and government systems, reflecting the critical nature and broad reach of the Apache Tomcat platform. Some payloads observed in the wild were obfuscated using base64 encoding and executed via the deserialization flaw, as attackers attempted to evade basic security filters and traditional detection mechanisms.
This vulnerability underscores the dangers of using custom functions for file path modifications. Attackers can exploit it by leveraging dot (.) characters to manipulate file paths, bypass directory restrictions, and overwrite critical files. A key target is session persistence files, as their default locations reveal the directory structure. Worse yet, these files are deserialized before validation, exposing the system to deserialization attacks.
Attackers often perform automated scans to locate vulnerable Tomcat servers with specific configurations. Once a target is identified, they exploit publicly available vulnerabilities, particularly deserialization flaws in Java components, to carry out their attacks.
Widespread use of vulnerable versions
Sonatype's analysis of Maven Central download data indicates that many organizations are still using vulnerable versions of Apache Tomcat at a concerning rate.
Our findings show that:
-
Vulnerable versions were downloaded three times more often than patched versions in the past 90 days.
-
The download trend remained high even after the vulnerability was disclosed, meaning many organizations may be unknowingly deploying insecure versions.
-
Since the PoC was published on March 14, vulnerable versions have been downloaded 95,887 times in total, despite the availability of a newer, non-vulnerable version.
Why is the CVSS score low for an RCE vulnerability?
Despite being an RCE vulnerability, CVE-2025-24813 has a CVSS score of 5.5, which may seem low given its impact.
Several mitigating factors contribute to this:
-
Default configurations: Key conditions for exploitation, such as write-enabled DefaultServlet and file-based session persistence, are disabled by default in Apache Tomcat.
-
Specific prerequisites: Successful exploitation requires a precise alignment of configuration settings, making it less universally applicable than other RCE vulnerabilities.
-
Impact classification: While RCE is possible, confidentiality, integrity, and availability impacts are rated low since the attack primarily targets specific files rather than causing widespread system compromise under most scenarios.
Why this attack is hard to detect
Unlike other common attacks, this vulnerability relies on legitimate-looking PUT requests. Compounding the challenge, these requests often carry base64-encoded payloads, which can evade signature-based detection and bypass many traditional security filters, including WAFs and intrusion prevention systems.
The attack does not require authentication and can be executed without triggering common security alerts.
How to protect against this vulnerability
To reduce risk, Sonatype recommends the following immediate actions:
-
Upgrade to a patched version of Apache Tomcat: Ensure your deployments are not running vulnerable versions.
-
Monitor for malicious PUT requests: Configure logging and alerts to detect unauthorized file uploads.
-
Leverage automated tools to prevent vulnerable dependencies: Sonatype Repository Firewall blocks malicious or vulnerable open source components before they enter your software supply chain.
-
Conduct a full audit of Apache Tomcat configurations: Ensure file-based session storage is not improperly configured.
The bigger picture: Why proactive software supply chain security matters
The Apache Tomcat vulnerability highlights a recurring issue in software supply chain security: organizations continue to unknowingly use outdated and vulnerable dependencies at scale. Attackers capitalize on this reality, exploiting security gaps before teams can react.
To prevent future incidents like this:
-
Organizations must adopt a proactive approach to software security.
-
Automated tools that detect and block vulnerabilities before they are deployed are essential.
-
Security awareness around dependency management must improve across development teams.
How Sonatype helps
Sonatype Repository Firewall automatically detects and prevents vulnerable open source components from being pulled into your development pipeline.
By integrating proactive security measures, organizations can stop these attacks before they begin.
Final thoughts
The Apache Tomcat vulnerability is a wake-up call for security teams. With a rapid exploitation timeline, difficult detection, and widespread vulnerable versions still in use, organizations must act fast.
By leveraging automated dependency security, monitoring for suspicious activity, and ensuring swift patching, teams can reduce risk and prevent attacks before they cause harm.
To learn more about how Sonatype helps organizations secure their software supply chains, check out Sonatype Repository Firewall.
