Overview

The New Zealand Computer Emergency Response Team (CERT NZ) recently issued an urgent security advisory regarding a critical vulnerability, CVE-2025-24813, affecting Apache Tomcat across multiple versions. This Apache Tomcat vulnerability, identified in March 2025, poses severe risks, including remote code execution (RCE), information disclosure, and content corruption.

The advisory outlines the threats and recommends necessary actions to mitigate the risks for users of the affected Apache Tomcat versions. CVE-2025-24813 is a critical vulnerability in Apache Tomcat that affects versions ranging from 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2. It stems from an issue in how the partial PUT method is implemented in Tomcat.

In this scenario, an unauthenticated attacker could potentially upload a malicious serialized payload to a vulnerable server. If exploited, this flaw allows attackers to execute arbitrary code, control the server, or leak sensitive data, making it a significant risk for affected systems.

The flaw primarily impacts Apache Tomcat servers running specific versions, especially when certain conditions are met, as outlined by CERT NZ. This includes the existence of a proof of concept (PoC) and reports of active exploitation, raising the urgency for immediate remediation.

How Does Apache Tomcat Vulnerability CVE-2025-24813 Work?

At the core of CVE-2025-24813 is the partial PUT method in Tomcat. When a file is uploaded via a partial PUT request, it generates a temporary file on the server based on the provided filename. The vulnerability is triggered when the file’s path separator is replaced by a period (“.”), which can lead to unintended file manipulations. This behavior opens the door to two main exploit scenarios:

1. Information Disclosure/Corruption: If an attacker uploads a file to a directory that should be protected, they might gain access to sensitive files or inject malicious content into them. This can compromise the integrity of the files or even leak confidential information.
2. Remote Code Execution (RCE): When running with certain default settings for session persistence, including vulnerable libraries, an attacker can execute remote code on the server. This scenario enables the attacker to take full control of the affected system.

Affected Versions

Systems using any of the following Apache Tomcat versions are at risk from CVE-2025-24813:

• Apache Tomcat 11.0.0-M1 to 11.0.2
• Apache Tomcat 10.1.0-M1 to 10.1.34
• Apache Tomcat 9.0.0-M1 to 9.0.98

Administrators should check their Apache Tomcat installation to see if they are running any of these versions and review their configuration to assess the vulnerability’s exposure.

Identifying and Mitigating the Risk

How to Tell If Your System Is at Risk

If your system runs an affected version of Apache Tomcat, it’s crucial to verify whether additional conditions specified by the advisory are also present. Follow these steps:

1. Ensure your Tomcat installation is one of the vulnerable versions listed earlier. If it is, further review is required to see if the system is at greater risk under specific circumstances.
2. Examine server configurations to ensure they are not exposed to malicious actions. This includes inspecting file permissions on sensitive directories, using partial PUT, and session persistence settings.

What to Do: Mitigation Steps

To mitigate the risks associated with CVE-2025-24813, administrators should immediately:

1. Upgrade to Patched Versions: Apache Tomcat has released patches that address the vulnerability. Users should upgrade to the following versions:

1. Apache Tomcat 11.0.3 or later
   1. Apache Tomcat 10.1.35 or later
   1. Apache Tomcat 9.0.99 or later

These updated versions eliminate the vulnerability by properly securing the partial PUT functionality, closing the exploit vector and preventing the possibility of remote code execution.

• If immediate upgrading is not feasible, disable features like partial PUT and restrict write access to sensitive files and directories to mitigate risk temporarily.
• Apply stronger security measures, including ensuring appropriate file permissions, securing sensitive data, and updating dependencies to secure versions.

Other Recent Apache Tomcat Vulnerabilities

The CVE-2025-24813 vulnerability is just the latest in a series of critical security flaws identified in Apache Tomcat. The Tomcat team has worked diligently to address previous issues like CVE-2024-50379, CVE-2023-42795, and CVE-2024-34750. These vulnerabilities were severe, with potential impacts ranging from remote code execution to privilege escalation and data exposure.

CVE-2024-50379

This flaw was identified in Apache Tomcat’s handling of session persistence. It could have allowed attackers to gain unauthorized access to session data, potentially compromising sensitive information stored in sessions. Prompt patches were made available to address the issue, and administrators were advised to upgrade as soon as possible.

CVE-2023-42795

CVE-2023-42795 was another critical vulnerability that affected Apache Tomcat. It allowed attackers to bypass security restrictions, which could have led to unauthorized access to sensitive data stored within the application. Users were urged to upgrade to newer, more secure versions of Apache Tomcat to mitigate the risk.

CVE-2024-34750

CVE-2024-34750 was a vulnerability that exposed internal resources to external requests. Exploiting this flaw, an attacker could potentially escalate privileges and execute unauthorized actions within the system. Apache Tomcat issued patches that resolved the flaw, mitigating the risk for users of affected versions.

Conclusion

Apache Tomcat has released security patches to mitigate risks such as remote code execution, denial of service, privilege escalation, and information leakage. While it remains a widely used platform, the Apache Tomcat vulnerability highlight the critical need for administrators to stay up to date with security practices, patch management, and system hardening.

By adhering to CERT NZ’s advisory, applying necessary updates, and maintaining strong security measures, organizations can protect their systems from cyber threats, protect sensitive data, and avoid security breaches.

References

• https://www.cert.govt.nz/advisories/cve-2025-24813-affecting-apache-tomcat/
• https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
• https://tomcat.apache.org/security-11.html
• https://tomcat.apache.org/security-10.html
• https://tomcat.apache.org/security-9.html

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.