Table of Contents
A new remote code execution (RCE) vulnerability found in Apache Tomcat servers, tracked as CVE-2025-24813, is being exploited in the wild. A Proof of Concept (POC) was released earlier and it’s likely given the volume of activity and pervasive use. Attackers will attempt mass exploitation.
Exploitation can occur through a malformed PUT request to the API when the following conditions are met:
- Writes enabled for the default servlet (readonly=”false”) – (disabled by default).
- Support for partial PUT (enabled by default).
- A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
- Attacker knowledge of the names of security sensitive files being uploaded.
- The security sensitive files are also being uploaded via partial PUT.
Multiple sources have confirmed that this vulnerability is being actively exploited in the wild, utilizing a POC that was posted 2025-03-17.
Patched versions are available, and it is recommended to immediately download and patch the affected servers utilizing Apache Tomcat. Due to active exploitation of these vulnerabilities, the CyberMaxx team recommends a full compromise assessment.
CyberMaxx is monitoring the situation and will provide updates and remediation guidelines as they become available over the coming days.
References: