A critical vulnerability in Apache Tomcat is being actively exploited online that could allow attackers to take over vulnerable servers with a single PUT API request.
Designated CVE-2025-24813, the vulnerability lies in the way the server platform processes PUT requests. A specially crafted data stream could trigger an error in the processing of data deserialization.
“This request writes a file inside Tomcat’s session storage directory,” explained researchers with security provider Wallarm.
“Because Tomcat automatically saves session data in files, the malicious payload is now stored on disk, waiting to be deserialized.”
According to the Wallarm team, the vulnerability is based in the way Tomcat retrieves and processes Java code. The attacker can bypass code checks and security protections to directly execute their code.
A simple PUT command can be embedded with additional code that allows for otherwise unauthorized commands to be read and executed by the target system. The result is a complete takeover of the targeted server with the ability to download and execute further malware. As such, the vulnerability has been given a "critical" security rating.
CVE-2025-24813 attack "dead simple" to execute on vulnerable servers
Wallarm’s researchers said the attack is particularly heinous in the way it protects the nefarious parts of its code. The instructions that infected the target with the malware remain encoded in Base64 until it comes time to unpack and install the malware controller
“This attack is dead simple to execute and requires no authentication. The only requirement is that Tomcat is using file-based session storage, which is common in many deployments,” Wallarm explained.
“Worse, base64 encoding allows the exploit to bypass most traditional security filters, making detection challenging.”
Wallarm (who sells a security platform as an alternative to application firewalls) said that this particular attack exploits a weakness in application firewalls because it shows a fundamental weakness in the way servers handle specific HTML requests.
Users and administrators are advised to update their installations to version 11.0.3, 10.1.35 or 9.0.98. Wallarm researchers, however, said that the vulnerability is reflective of a larger flaw in the Apache server platform that will allow for constant security holes to present themselves to threat actors.
“While this exploit abuses session storage, the bigger issue is partial PUT handling in Tomcat, which allows uploading practically any file anywhere,” the Wallarm researchers said.
“Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage. This is just the first wave.”
