Apache Tomcat: CVE-2025-24813: Active Exploitation

March 31, 2025, 11:26 a.m.

Description

A critical path equivalence vulnerability in Apache Tomcat, CVE-2025-24813, allows unauthenticated attackers to execute arbitrary code on vulnerable servers under specific conditions. The vulnerability affects Tomcat versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0.M1 to 9.0.98, and certain 8.5.x versions. Exploitation requires specific server configurations and involves sending malicious PUT and GET requests. Six malicious IP addresses have been identified attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the likelihood of ongoing exploitation attempts. Users are advised to upgrade to patched versions or implement network-level controls to restrict access to the Tomcat server.

External References

https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis
https://otx.alienvault.com/pulse/67e6c6b6dd57e4c62a1a8d1f
https://cms.recordedfuture.com/uploads/format_webp/introducing_cve_monthly_f4f1f80388.jpg
Tags
vulnerability
exploitation
remote code execution
CVE-2025-24813
patching
2025-03-28
path equivalence
apache tomcat

Date

  • Created: March 28, 2025, 3:56 p.m.
  • Published: March 28, 2025, 3:56 p.m.
  • Modified: March 31, 2025, 11:26 a.m.

Attack Patterns

  • T1565.001
  • T1505.003
  • T1213
  • T1203
  • T1082
  • T1083
  • T1190
  • T1059

Additional Informations

  • British Indian Ocean Territory
  • Hong Kong
  • Singapore
  • India
  • Australia
  • Taiwan
  • China
  • Japan
  • Indonesia
  • Mexico
  • Pakistan
  • United States of America