The recently revealed security flaws affecting Apache Tomcat have been subjected to aggressive exploitation in the wild following the release of the Public Concept (POC) just 30 hours after public disclosure.
The vulnerability tracked as CVE-2025-24813 affects the following versions –
Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0-M1 to 9.0.98
It relates to cases of remote code execution or disclosure when certain conditions are met –
Support for Wilfput enabled for default Servlet (disabled by default) support
The successful exploitation allows malicious users to view security-sensitive files, or insert any content into those files using PUT requests.
Additionally, an attacker can achieve remote code execution if all of the following conditions are true –
Write (enabled by default) applications enabled for support for partput (enabled by default) for default servlet (enabled by default) were using file-based session persistence in Tomcat using the default storage location application.
In an advisory released last week, the project maintainer said the vulnerabilities were resolved in Tomcat versions 9.0.99, 10.1.35 and 11.0.3.
But concerns, vulnerabilities already see attempts to exploit the wild around Wallam.
“This attack leverages Tomcat’s default session persistence mechanism, along with support for partial Put requests,” the company said.
“Exploit works in two steps. The attacker uploads a serialized Java session file via a PUT request. The attacker triggers deisolation by referencing the malicious session ID in the GET request.”
Put another way, an attack involves sending a Put request containing a Base64-encoded serialized Java payload written in Tomcat’s session storage directory. This will be done during the descent by sending a GET request pointing to the malicious session.
Wallarm also noted that vulnerabilities are easy to exploit and do not require authentication. The only prerequisite is that Tomcat uses file-based session storage.
“This exploit abuses session storage, but the bigger problem is partial handling in Tomcat. “Attackers will soon begin shifting their tactics, uploading malicious JSP files, changing configurations, and planting backdoors outside of session storage.”
Users running an affected version of Tomcat are recommended to update their instances as soon as possible to mitigate potential threats.
Source link
