) exploit released for the flaw, CVE-2025-24813, just 30 hours after it was publicly disclosed.”A devastating new remote code execution (RCE) vulnerability is now actively exploited in the wild,” Wallarm said in a blog post. “Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers.”PUT API requests are used to update or replace a resource on the server. Wallarm warns the attack is difficult to detect as these PUT requests look normal without obvious malicious content, and use base64 encryption for evasion. The exploit detected by Wallarm leveraged two of Tomcat’s provisionsa default session persistence mechanism, and the support for partial PUT requests.The attack begins with threat actors issuing a PUT request to upload a malicious session file to the server. This file contains a Base64-encoded ysoserial gadget chain, engineered to execute remote code upon deserialization. The request creates a file within Tomcat’s session storage directory.Due to Tomcat’s default settings of storing session data as files, the malicious payload gets written to disk, awaiting deserialization. The attacker then triggers deserialization with a GET request using the malicious JSESSIONID. Tomcat retrieves, deserializes, and executes the payload, granting remote access.”This attack is dead simple to execute and requires no authentication,” Wallarm added. “The only requirement is that Tomcat is using file-based session storage, which is common in many deployments.” Fixed versions available: While the vulnerability has yet to receive a CVSS severity rating, the company rated it as “important” in its disclosure.The affected versions include Apache Tomcat: 11.0.0-M1 to 11.0.2,10.1.0-M1 to 10.1.34, and 9.0.0 M1 to 9.0.98. Respective fixed versions include 11.0.3 or later, 10.1.35 or later, and 9.0.99 or later.Wallarm detected the first attack coming from Poland on March 12, a few days before the first public exploit was released on GitHub.”While this exploit abuses session storage, the bigger issue is partial PUT handling in Tomcat, which allows uploading practically any file anywhere,” Wallarm said in the blog. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3847956/tomcat-put-to-active-abuse-as-apache-deals-with-critical-rce-flaw.html
