Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk?

Apache Tomcat is under attack as cybercriminals actively exploit a recently disclosed vulnerability, enabling remote code execution (RCE). With simple HTTP requests, attackers can trigger the deserialisation of malicious data and gain control over affected systems.

The vulnerability, CVE-2025-24813, was disclosed by Apache on March 10, with the first proof of concept being released on GitHub about 30 hours later, posted by user iSee857. Soon after, security firm Wallarm later saw that this was being leveraged in the wild, warning that the attacks are undetectable to traditional security filters as HTTP requests appear normal and malicious payloads are base64-encoded.

First, an attacker sends a PUT request containing an encoded, serialised Java payload, which is then written inside Tomcat’s session storage and automatically saved in a file. Then they send a GET request with a JSESSIONID cookie pointing to the malicious session.

When Tomcat processes this request, it deserialises the session data without proper validation, executing the embedded malicious Java code and giving the attacker full remote access.

SEE: How to Use the Apache Web Server to Install and Configure a Website

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Which Apache Tomcat versions are vulnerable?

No authentication is required for this to work but, according to Apache’s security note, the following must be true for a Tomcat application to be vulnerable:

• Writes are enabled for the default servlet
• Partial PUT request support is enabled
• Tomcat includes a library that could be leveraged in deserialisation attacks
• The default storage location uses file-based session persistence

As well as remote code execution exploits, the vulnerability can allow attackers to view or amend security-sensitive files if the following conditions are met:

• Writes are enabled for the default servlet
• Partial PUT request support is enabled
• The security-sensitive files are stored in a publicly available directory and were uploaded by partial PUT
• The attacker knows the filenames

With these conditions fulfilled, the following Tomcat versions are all vulnerable:

• Apache Tomcat 11.0.0-M1 to 11.0.2
• Apache Tomcat 10.1.0-M1 to 10.1.34
• Apache Tomcat 9.0.0.M1 to 9.0.98

Mitigation: How to protect your system

To mitigate the vulnerability, Apache recommends users upgrade to Tomcat versions 11.0.3 or later, 10.1.35 or later, or 9.0.99 or later, respectively, as these are all sufficiently patched. Alternatively, users can turn off partial PUT support, disable writes for the default servlet, and avoid storing security-sensitive files in directories that are publicly accessible.

Wallarm researchers warn that this vulnerability highlights the possibility of other security flaws emerging due to Tomcat’s handling of partial PUT requests “which allows uploading practically any file anywhere”.

“Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage,” they wrote in a blog post. “This is just the first wave.”