A remote code execution (RCE) vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is currently being exploited in the wild. The flaw, which allows attackers to gain full control over affected servers, can be triggered through a simple PUT request. Researchers have confirmed that attackers are actively leveraging proof-of-concept (PoC) exploits, which were published on GitHub just 30 hours after the vulnerability was disclosed.
The vulnerability, first reported by Apache on March 10, 2025, is caused by Tomcat’s failure to properly validate PUT requests and its default file-based session persistence. Specifically, the attacker sends a PUT request containing a base64-encoded, serialized Java payload that is saved to Tomcat’s session storage.
Once the malicious content is uploaded, the attacker sends a GET request with a JSESSIONID cookie pointing to the uploaded session file, causing Tomcat to deserialize and execute the malicious Java code. This grants the attacker complete control over the compromised server.
“The attack is dead simple to execute and requires no authentication,” Wallarm security researchers noted. “The only requirement is that Tomcat is using file-based session storage, which is common in many deployments. Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”
The flaw impacts several versions of Apache Tomcat, including Apache Tomcat 11.0.0-M1 to 11.0.2, Apache Tomcat 10.1.0-M1 to 10.1.34, Apache Tomcat 9.0.0-M1 to 9.0.98.
The vendor has recommended that all users upgrade to the following patched versions: Apache Tomcat 11.0.3+, Apache Tomcat 10.1.35+, Apache Tomcat 9.0.99+.
Last week, Akamai researchers warned that the CVE-2025-1316 flaw affecting Edimax IC-7100 cameras is being actively exploited by several Mirai-based botnets. The botnets exploiting this CVE also leverage several known vulnerabilities, including a Docker API exploit. In a security advisory, Edimax acknowledged the vulnerability but said that no security patches or firmware updates will be released because the said model was discontinued more than ten years ago, and is no longer supported with technical assistance or firmware updates.
