The recently disclosed lack of security, which affects Apache Tomcat, was actively exploited in the wild after publishing public evidence (POC) only 30 hours after public disclosure.
Vulnerability tracked as Cve-2025-24813affects the above versions –
- Apache Tomcat 11.0-M1 to 11.0.2
- Apache Tomcat 10.0-M1 to 10.1.34
- Apache Tomcat 9.0-M1 to 9.0.98
This concerns the case
- Record the Enable for the default serulet (disabled by default)
- Partial Class Support (Enabled by default)
- Target URL for sensitive safety is loaded, which is the submarine target URL for public downloads
- Knowledge of the attacker about the names that feel the security of the files that are loaded
- Files sensitive to safety are also loaded by partial application
Successful operation can allow a malicious user to view security files or introduce arbitrary content into these files by request.
In addition, the attacker can reach the remote code if all subsequent conditions are true –
- Record the Enable for the default serulet (disabled by default)
- Partial Class Support (Enabled by default)
- Application used the Tomcat Session Suspit based on the default storage location
- The application included a library that could be used in the desserization attack
In a recommendation published last week, the project supports – Note The vulnerability was resolved in the versions of Tomcat 9.0.99, 10.1.35 and 11.0.3.
But with respect to the turn, the vulnerability already sees the attempts to operate in the wild, on Wallaralm.
“This attack uses the Tomcat Session Mechanism along with its support partial requests,” “company – Note.
“Operations works in two stages: the attacker loads a serialized Java session file through the request. The attacker causes desserization, citing the malicious session ID in the GET request.”
Speaking otherwise, the attacks entry the sending request containing a serialized useful load of Java, which contains Base64, which is written in the Tomcat storage catalog, which is subsequently executed during desserization, sending a GetSionid request to the angry session.
Wallarm also noted that the trivial vulnerability and does not require authenticity check. The only prerequisite is that Tomcat uses a file-based repository.
“While this operation is abusing the session, a greater problem is partially processing in Tomcat, allowing you to download almost any file anywhere,” – added in it. “In the near future, the attackers will start to change their tactics, download malicious JSP files, change configurations and put back repository by sessions.”
Users who work with the affected Tomcat versions are recommended to update their instances as soon as possible to mitigate potential threats.