Security researchers are sounding the alarm as hackers pounced on a critical Apache Tomcat vulnerability just 30 hours after its disclosure. The flaw, tracked as CVE-2025-24813, affects multiple Tomcat versions and allows attackers to execute malicious code remotely. No big deal, just complete server takeover.
Hackers don’t wait for permission slips—they’re already in your servers while you’re still reading the CVE.
The Apache Software Foundation disclosed the vulnerability on March 10, 2025, labeling it “Important” severity. Fat lot of good that did. By March 12, proof-of-concept exploit code had already appeared on Chinese forums, and Wallarm researchers confirmed active exploitation in the wild. Talk about wasting no time.
What makes this vulnerability particularly nasty is its simplicity. Attackers exploit path equivalence issues to upload serialized Java payloads directly to Tomcat’s session storage. Once uploaded, a simple GET request triggers deserialization and executes the malicious code. No authentication required. Cool, right?
For exploitation to succeed, several conditions must be met: the default servlet needs write permissions enabled (disabled by default), partial PUT requests must be supported (enabled by default), and the system must use file-based session persistence. The vulnerability is especially dangerous on case-insensitive file systems like Windows and macOS, where the TOCTOU race condition can be more easily exploited. Unfortunately, many real-world Tomcat deployments tick all these boxes.
The attacks bypass traditional security filters through base64 encoding. Sneaky. Once compromised, servers become playgrounds for attackers who can access sensitive files, inject malicious content, and install backdoors. Not exactly what you want happening on your production servers. This echoes the single PUT API request technique seen in earlier exploits, requiring minimal effort for maximum impact.
Apache released patches immediately, with fixes available in Tomcat versions 9.0.99, 10.1.35, and 11.0.3. They also recommended configuration changes for unpatched systems, including disabling write permissions for the default servlet and turning off partial PUT request support. A comprehensive risk assessment would help organizations identify their vulnerability to this threat and prioritize mitigation efforts.
This incident serves as a stark reminder of the razor-thin margin between disclosure and exploitation. Vulnerability announcements might as well include “Hackers, start your engines!” For system administrators, the message is crystal clear: patch now or prepare for unwelcome visitors. The clock started ticking 30 hours ago.
