CVE-2025-24813: Apache Tomcat RCE Vulnerability and Data Exposure | CIP Blog

A newly discovered vulnerability, CVE-2025-24813, has been found in Apache Tomcat. This flaw may lead to Remote Code Execution (RCE), data exposure, or file corruption. Under certain conditions, attackers could execute malicious code or access and modify sensitive files. The Apache Software Foundation has issued an urgent security advisory, urging affected users to apply the latest security patches immediately.

This article provides an overview of CVE-2025-24813, shares real-world attack cases, and explains how to use Criminal IP Asset Search to identify exposed Apache Tomcat servers and mitigate the risk of exploitation.

CVE-2025-24813 Vulnerability: Path Equivalence and Partial PUT

Apache Tomcat is a widely used open-source web server for applications. CVE-2025-24813 is a recently disclosed vulnerability related to path equivalence handling and partial PUT requests in Tomcat. This flaw allows attackers to manipulate file paths using internal dots (e.g., file.Name), potentially leading to remote code execution, information disclosure, and the creation of files containing malicious content. The issue is particularly exploitable when write permissions are enabled in Tomcat’s default servlet.

Affected Versions

The Apache Software Foundation has announced that the following versions may be affected by CVE-2025-24813:

Apache Tomcat 11: 11.0.0-M1 ~ 11.0.2
Apache Tomcat 10: 10.1.0-M1 ~ 10.1.34
Apache Tomcat 9: 9.0.0.M1 ~ 9.0.98

These versions may be vulnerable when Partial PUT is enabled. Users are strongly advised to upgrade to the latest available version. Detailed version information and patch notes can be found in the official Apache Security Advisory.

Exploitable Conditions

If CVE-2025-24813 is exploited, two main attack scenarios could occur.

Information Leakage and Data Corruption:
- Write permissions are enabled on the default servlet.
- Partial PUT support is enabled.
- The target URL for uploading sensitive files is a sub-directory of a publicly accessible upload URL.
- The attacker must be aware of the name of the uploaded sensitive file, which is transferred via Partial PUT.
Remote Code Execution (RCE):
- Write permissions are enabled on the default servlet.
- Partial PUT support is enabled.
- The application uses Tomcat’s file-based session persistence with the default storage location.
- The application includes a vulnerable library susceptible to deserialization attacks.

If all of these conditions are met, an attacker may gain control of the server through remote code execution or execute malicious code within the system.

Detecting Vulnerable Apache Tomcat Servers Using Criminal IP Asset Search

With the disclosure of the vulnerable versions and PoC for CVE-2025-24813, it is essential to verify whether the Apache Tomcat servers currently in use are affected and if the conditions required for exploitation are met. The version information of Apache Tomcat can be easily identified using Criminal IP Asset Search. By utilizing the three queries provided below, you can identify Apache Tomcat servers exposed to the internet and review their version details.

Search Query for Identifying Exposed Apache Tomcat Servers

Criminal IP Search Query: title: Apache Tomcat/9

https://www.criminalip.io/asset/search?query=title%3A+Apache+Tomcat%2F9

Criminal IP Asset Search Results for Title: Apache Tomcat/9

According to the results of a search for “title: Apache Tomcat/9” on Criminal IP Asset Search, as of March 19, 2025, a total of 237,907 Apache Tomcat/9 servers were exposed to the internet.

Criminal IP Search Query: title: Apache Tomcat/10

https://www.criminalip.io/asset/search?query=title%3A+Apache+Tomcat%2F10

Criminal IP Asset Search Results for Title: Apache Tomcat/10

According to the search results for title: Apache Tomcat/10 on Criminal IP Asset Search, as of March 19, 2025, a total of 14,358 Apache Tomcat/10 servers were exposed to the internet.

Criminal IP Search Query: title: Apache Tomcat/11

https://www.criminalip.io/asset/search?query=title%3A+Apache+Tomcat%2F11

Criminal IP Asset Search Results for Title: Apache Tomcat/11

According to the results of a Criminal IP Asset Search for “title: Apache Tomcat/11”, as of March 19, 2025, a total of 3,770 Apache Tomcat/11 servers were exposed to the internet.

Apache Tomcat-related vulnerabilities were detected on the IP address, including exploitable flaws with public PoCs

As of March 19, 2025, a search conducted using Criminal IP Asset Search revealed that hundreds of thousands of Apache Tomcat servers are currently exposed to the internet. The IP address reports provide a quick overview of the versions in use, and many of the detected servers are running versions vulnerable to CVE-2025-24813, including 9.0.33, 10.1.7, and 11.0.0. In some specific IP reports, not only CVE-2025-24813 but also multiple Apache Tomcat CVEs dating back to 2021 were identified. Notably, several of these vulnerabilities have publicly available PoCs on GitHub, increasing the risk of exploitation.

FAQ

Q1. Does the CVE-2025-24813 vulnerability affect all versions of Apache Tomcat?

The CVE-2025-24813 vulnerability does not impact all versions of Apache Tomcat. Instead, it affects specific versions within the following Tomcat release lines:

Apache Tomcat 11: 11.0.0-M1 ~ 11.0.2
Apache Tomcat 10: 10.1.0-M1 ~ 10.1.34
Apache Tomcat 9: 9.0.0.M1 ~ 9.0.98

For more detailed information on the affected versions and technical details of CVE-2025-24813, refer to the Apache Security Advisory.

Q2. What are the additional security patches and mitigation measures?

The Apache Software Foundation has released a security patch addressing the vulnerability. Organizations running vulnerable systems can enhance their security posture by taking the following actions:

Apply Latest Security Updates: Immediately update to the latest version of Apache Tomcat.
Disable Default Servlet Write Access: Prevent potential attack vectors by disabling write permissions for the Default Servlet..
Disable Partial PUT: Turn off the Partial PUT functionality if not required to reduce exposure.
Restrict Network Access: Configure firewalls to block external access to the Apache Tomcat management interface.
Enhance Log Monitoring and Detection: Monitor for abnormal requests and respond swiftly to security events.
Leverage Attack Surface Management (ASM): Use Criminal IP ASM to quickly identify vulnerable versions and potential threats associated with Apache Tomcat, enabling proactive threat mitigation.

Conclusion

CVE-2025-24813 poses a significant security threat to organizations operating Apache Tomcat servers, it is essential to promptly apply security patches and implement proactive measures such as restricting network access. Additionally, it is important to utilize cybersecurity threat intelligence search engines like Criminal IP and attack surface management solutions like Criminal IP ASM for continuous monitoring and automated threat detection.

Apache Tomcat users should respond swiftly to this vulnerability and regularly consistently assess their security posture to prevent similar threats in the future.

In relation to this, you can refer to CVE-2024-53900 CVE-2025-23061 RCE Vulnerabilities in Mongoose: Security Threats Exposure and Countermeasures.

Source: Criminal IP (https://www.criminalip.io/), ASF security updates (https://tomcat.apache.org/security.html), Hawkeye (https://hawk-eye.io/2025/03/critical-remote-code-execution-rce-vulnerability-in-apache-tomcat-cve-2025-24813/), NHS England (https://digital.nhs.uk/cyber-alerts/2025/cc-4633), NIST (https://nvd.nist.gov/vuln/detail/CVE-2025-24813)

https://www.criminalip.io/knowledge-hub/blog/26457