Critical Apache Tomcat RCE Vulnerability Under Active Exploitation
A critical remote code execution vulnerability in Apache Tomcat allows attackers to upload and execute arbitrary code via partial PUT requests, with active exploitation observed within 30 hours of disclosure.
CVE References
Affected
What happened: A critical remote code execution vulnerability in Apache Tomcat is being actively exploited less than 30 hours after public disclosure. CVE-2025-24813 enables attackers to upload malicious serialized session data via partial PUT requests, which is then deserialized to achieve remote code execution on vulnerable servers.
Technical details: The vulnerability exists in Apache Tomcat's handling of partial PUT requests. When the default servlet is configured to allow writes via HTTP PUT (which is not the default configuration), an attacker can upload a serialized Java object to a file-based session store. When a subsequent request references the crafted session, the server deserializes the payload, executing arbitrary code. The attack requires default servlet write access, file-based session persistence, and a deserialization-vulnerable library like commons-collections in the classpath.
Who is affected: Web applications running on Apache Tomcat versions 9.0.0-M1 through 9.0.98, 10.1.0-M1 through 10.1.34, or 11.0.0-M1 through 11.0.4 where the default servlet has write access enabled and file-based session persistence is configured. While the default configuration is not vulnerable, many production environments modify these settings.
What defenders should do: Upgrade to Apache Tomcat 9.0.99, 10.1.35, or 11.0.5. If immediate patching is not possible, disable PUT support on the default servlet, switch to database-backed or non-file session persistence, and remove deserialization gadget libraries from the classpath where possible. Scan web access logs for suspicious partial PUT requests to session storage paths.
Broader implications: The extremely rapid weaponization of this vulnerability, within 30 hours of disclosure, illustrates the shrinking patch window that organizations face. Apache Tomcat's prevalence as a Java application server across enterprise environments means the potential impact is widespread, and this vulnerability adds to the growing list of deserialization-based attacks targeting Java middleware.
Sources