Exploitation of Apache Tomcat Vulnerability CVE-2025-24813

The Apache Software Foundation has released security updates addressing a vulnerability in Apache Tomcat. Tomcat is an open-source web server and servlet container that is used to deploy and serve Java-based web applications.

CVE-2025-24813 is 'deserialisation of untrusted data' and 'path equivalence: file.name (Internal dot)' vulnerability that an attacker could exploit to achieve remote code execution (RCE), view security sensitive files, or inject content into those files.

Exploitation of this vulnerability has been reported in the wild and a public proof-of-concept exploit has been released. The NHS England National CSOC assesses that continued exploitation of this vulnerability is considered highly likely.

To achieve RCE, the following conditions must be true:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default) must be present
• application is using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialisation attack

Alternatively, to view sensitive files or inject content into those files, the following prerequisite conditions must be met:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default) must be present
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT