Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: APACHE TOMCAT: POTENTIAL RCE AND/OR INFORMATION DISCLOSURE AND/OR INFORMATION CORRUPTION WITH PARTIAL PUT, PATCH IMMEDIATELY!
Image
Published : 19/03/2025
- Version: 1.0
- Affected software: Apache Tomcat
→ 11.0.0-M1 - 11.0.2
→ 10.1.0-M1 - 10.1.34
→ 9.0.0.M1 - 9.0.98- Type: Potential RCE and/or information disclosure and/or information corruption
- CVE/CVSS
CVE-2025-24813: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
- https://nvd.nist.gov/vuln/detail/CVE-2025-24813
- https://tomcat.apache.org/security-11.html
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-9.html
Risks
In certain non-default conditions/configurations, CVE-2025-24813 allows an unauthenticated remote attacker to exploit a path equivalence flaw to view file system contents and/or add malicious content via a write-enabled Default Servlet in Apache Tomcat. This poses a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information. In certain worst case scenarios successful exploitation of CVE-2025-24813 could lead to server takeover.
Shortly after public announcement of this vulnerability on 2025-03-10 widespread scanning/exploitation attempts were observed.
Description
Apache Tomcat is an open-source web container developed by the Apache Software Foundation (ASF). Tomcat executes servlets and JavaServer pages. It also handles communication between JSP pages and a web server.
The original implementation of partial PUT within Apache Tomcat used a temporary file based on the user provided file name and path with the path separator replaced by ".".
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
The issue was fixed in December 2024 for v9.x and in February 2025 for v10.x and v11.x. CVE-2025-24813 was made public on 10 March 2025. Exploitation in the wild started within a few days due to publication of a PoC.
Redhat marked this vulnerability as moderate rather than important because it requires multiple non-default configurations to be exploitable, significantly limiting its impact in typical deployments.
Recommended Actions
Identify
The Centre for Cybersecurity Belgium strongly recommends to verify for the presence of Apache Tomcat within your environment. Please take note this software might be bundled with other software.
Additionally, identify the servers that based on their configuration, may be vulnerable to CVE-2025-24813 to prioritize which servers need patching first.
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Mitigate
If patching is not immediately possible, the Centre for Cybersecurity Belgium strongly recommends to remove the prerequisites for successful exploitation:
- Revert back to the default servlet configuration (readonly= "true")
- Turn off partial PUT support
- Avoid storing security-sensitive files in a subdirectory of public upload paths
Monitor / Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
- https://access.redhat.com/security/cve/cve-2025-24813