Less than a week after the rollout of patches for a critical remote code execution vulnerability in Apache Tomcat, exploit code has been published on a Chinese forum showing how to hijack servers with a single PUT request.
According to a bulletin from Wallarm, there are signs the bug is being exploited in the wild prior to the release of exploit code.
The Apache Tomcat vulnerability, tagged as CVE-2025-24813 and patched last Monday with an important-severity rating, affects Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98.
“This attack is dead simple to execute and requires no authentication. The only requirement is that Tomcat is using file-based session storage, which is common in many deployments,” Wallarm said in a note warning about in-the-wild exploitation.
“Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging,” the company added.
In the attacks observed, Wallarm said a PUT request was sent containing a base64-encoded serialized Java payload saved to Tomcat’s session storage.
The attacker then sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, forcing Tomcat to deserialize and execute the malicious Java code, granting complete control to the attacker.
The attack does not require authentication and is caused by Tomcat accepting partial PUT requests and its default session persistence, Wallarm explained.
Last Monday, the Apache Foundation published a security advisory warning users that, under certain conditions, an attacker could view or inject arbitrary content on security-sensitive files.
The conditions were the following:
- Writes enabled for the default servlet (readonly= “false”) — (Disabled by default)
- Support for partial PUT is enabled (Enabled by default.)
- Security-sensitive uploads occur in a sub-directory of a public upload directory.
- The attacker knows the names of security-sensitive files being uploaded.
- These security-sensitive files are being uploaded using partial PUT.
Apache recommended that all users upgrade to Tomcat versions 11.0.3+, 10.1.35+, or 9.0.99+ to mitigate this threat.
Tomcat users can also revert to the default servlet configuration (readonly= “true”), turning off partial PUT support, and avoiding storing security-sensitive files in a subdirectory of public upload paths.
Wallarm warns that the bigger issue highlighted in this case isn’t the exploitation activity itself but the potential for more RCE vulnerabilities arising from the partial PUT handling in Tomcat.
“Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave,” Wallarm declared.
Related: Apache Foundation Calls Out Open-Source Leechers
Related: Exploits Swirling for Major Security Defect in Apache Log4j
Related: Exploitation of Recent Critical Apache Struts 2 Flaw Begins
Related: Apache Makes Another Attempt at Patching Exploited RCE in OFBiz
Related: Second Apache OFBiz Vulnerability Exploited in Attacks
