Known widely as the Apache Tomcat exploit, this flaw allows unauthenticated remote code execution (RCE) on vulnerable systems under specific conditions. A critical security vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is currently being actively exploited in the wild.
This guide will walk you through what the Apache Tomcat exploit is, how it works, and most importantly, how to secure your server to prevent it from being compromised.
Organizations running affected versions of Tomcat are strongly urged to apply security updates immediately to mitigate this threat.
What Is CVE-2025-24813?
Disclosed on March 10, 2025, CVE-2025-24813 stems from a path equivalence issue in Apache Tomcatโs handling of file names during partial PUT requests. The vulnerability arises when Tomcat replaces path separators with dots in uploaded filenamesโoriginally a mitigation against path traversal. Unfortunately, this approach introduces a new avenue for exploitation.
๐จ Affected Versions:
- Tomcat 9.0.0.M1 โ 9.0.98
- Tomcat 10.1.0-M1 โ 10.1.34
- Tomcat 11.0.0-M1 โ 11.0.2
๐ ๏ธ Mitigation Guide
โ Step 1: Upgrade Apache Tomcat
How to upgrade:
- ๐ Backup existing Tomcat setup.
- ๐ฅ Download the updated version:
- ๐ Replace or install the new version.
- ๐ ๏ธ Restore your configuration files.
- ๐ Restart the Tomcat server.
- โ Test applications for stability.
๐ Step 2: Monitor Server Logs for Suspicious PUT Requests
How to monitor:
- Find logs in:
logs/access_log.*orcatalina.out - Run: bashCopy
grep '"PUT ' logs/catalina.out - Look for unknown IPs or large payloads.
- ๐ก Use tools like ELK, Splunk, or Graylog for real-time analysis.
๐งฑ Step 3: Deploy Web Application Firewall (WAF) Rules
Recommended actions:
- Use WAFs like ModSecurity, AWS WAF, or Cloudflare.
- Create rules to:
- โ Block partial PUT requests
- โ Reject suspicious upload paths or filenames
- Keep WAF rules updated.
- Review WAF logs regularly.
โ Step 4: Blacklist Suspicious IPs
Steps:
- Identify attacking IPs from logs.
- Use firewall to block: bashCopy
sudo iptables -A INPUT -s <ip_address> -j DROP - Automate using fail2ban or similar tools.
- Stay informed with threat intelligence feeds.
๐ Targeted Regions (So Far)
| Country | % of Attacks |
|---|---|
| ๐บ๐ธ United States | 70%+ |
| ๐ฏ๐ต Japan | Medium |
| ๐ฎ๐ณ India | Medium |
| ๐ฐ๐ท South Korea | Medium |
| ๐ฒ๐ฝ Mexico | Low |
๐ Final Reminder:
NHS Englandโs National CSOC warns that continued exploitation is highly likely.
The NHS England National CSOC has warned that ongoing exploitation of the Apache Tomcat exploit (CVE-2025-24813) is โhighly likely.โ While widespread attacks require specific configuration setups, any unpatched systems remain at serious risk.
๐ง Ensure your systems are protectedโapply the necessary patches immediately and thoroughly review your Tomcat configurations to minimize exposure to this exploit.
Stay safe out there. ๐ก๏ธ๐ต๏ธโโ๏ธ