A newly discovered Apache Tomcat vulnerability, identified as CVE-2025-24813, is now being actively exploited—putting countless servers at risk of remote code execution (RCE) attacks.
The flaw allows attackers to take full control of vulnerable servers using a seemingly harmless PUT API request, typically used to update or replace server resources. In this case, however, the method becomes a dangerous entry point for cybercriminals.
According to cybersecurity researchers, the exploit process is deceptively simple but highly effective. Attackers first upload a malicious Java serialized session file directly onto the server via a PUT request. Once uploaded, they trigger the exploit with a standard GET request that references the crafted session ID—forcing the server to deserialize the malicious file and execute the attack.
The attack vector was initially shared by a Chinese forum user, iSee857, but it didn’t take long before hackers weaponized it. On March 12, researchers from Wallarm detected the first real-world attack in Poland, just days before the exploit code was released publicly on GitHub.
While Apache Tomcat doesn’t assign CVSS scores, Red Hat rated the vulnerability 8.6 out of 10, marking it as moderately severe. However, researchers warn that the real-world impact could be far greater.
What makes this exploit so alarming is its stealthy nature. The PUT request appears routine, the malicious payload is base64-encoded, and the dangerous part of the attack doesn’t execute until the final GET request. This means that most Web Application Firewalls (WAFs) fail to detect the attack altogether.
“This attack is dead simple to execute and requires no authentication,” Wallarm researchers warned. “The only prerequisite is that Tomcat is configured with file-based session storage—a common setup in many deployments. Worse still, base64 encoding allows the exploit to bypass most traditional security filters, making detection extremely challenging.”
Security experts strongly recommend deploying real-time API security solutions. Traditional pattern-matching approaches are no longer enough, they said. Instead, every request should undergo deep analysis, where payloads are fully decoded, unpacked, and examined for hidden threats—even across multi-step attacks that rely on obfuscation.
“CVE-2025-24813 is just the beginning,” researchers cautioned. “Attackers are evolving, and security defenses need to evolve even faster.”
This latest Tomcat vulnerability highlights a growing trend where attackers focus on exploiting session-based vulnerabilities and APIs, knowing that outdated security models often overlook these blind spots. Base64 encoding and multi-step triggers make these threats even harder to detect.
With Apache Tomcat powering a significant portion of web servers worldwide, organizations are urged to review their deployments, harden configurations, and consider implementing API behavior monitoring tools to prevent similar exploits in the future.
The race between attackers and defenders is clearly intensifying. Staying ahead means rethinking traditional security and shifting towards proactive, real-time threat detection that adapts as fast as the threats themselves.
