Apache Tomcat Vulnerability Under Active Exploitation

A critical security flaw in Apache Tomcat, tracked as CVE-2025-24813, is actively being exploited, putting organizations worldwide at risk. This vulnerability allows attackers to take control of servers or steal sensitive data, with attacks detected as early as March 12, 2025, and a public exploit released within 30 hours.

Apache Tomcat powers countless web applications across industries, from e-commerce platforms to internal business systems, making this flaw a significant concern. Tomcat is prevalent among service providers like web hosting companies (e.g., AWS, SiteGround) and SaaS providers offering tools like CRMs and e-commerce platforms.

Firms should sweep critical vendors and those with access to sensitive data to ensure they have applied the latest Tomcat updates and patches.

Vulnerability details

This vulnerability arises from weaknesses in how Apache Tomcat handles certain web requests, enabling attackers to exploit servers under specific conditions. Here’s what you need to know:

• How it works: Attackers can upload harmful files using a type of web request called a “partial PUT,” which can trick the server into running malicious code or exposing private data, especially if the server is set up to allow file uploads or uses default storage settings.
• Key risks: If exploited, attackers could gain full control of the server (remote code execution), access sensitive files like passwords or customer data, or disrupt services by altering critical files.
• Affected versions: Impacts versions used by many organizations for web applications - Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98.

Exploitation began shortly after the flaw was revealed on March 10, 2025, with a public exploit tool available by March 11, 2025. Security firm, Wallarm, reported attacks starting in Poland, and as of March 18, 2025, the threat has spread globally targeting unpatched systems.

Our guidance

We recommend the following steps to secure vulnerable Apache Tomcat instances:

• Update immediately: Upgrade to patched versions 11.0.3, 10.1.35, or 9.0.99, which fix CVE-2025-24813.
• Interim mitigation: If updating is delayed, turn off the server’s ability to accept file changes and use a different method (avoiding storing security-sensitive files within subdirectories of publicly accessible upload paths) to store session data (like a database) to stop attackers from taking advantage of this flaw.
• Network monitoring: Scan for exposed Tomcat instances (typically ports 8080 or 8443) and review logs for signs of partial PUT abuse, such as unexpected file uploads.
• Enhance defenses: Deploy web application firewalls (WAFs) with rules to filter malicious PUT requests as a temporary shield.

How we help

ACA Aponix^® helps firms strengthen their cybersecurity programs to mitigate risks from vulnerabilities, like the one in Apache Tomcat. Our services include:

• Aponix Protect^TM is a comprehensive solution that helps you implement a robust patch management process, ensuring vulnerabilities like the Apache Tomcat vulnerability are identified and remediated before they can be exploited.
• Our Vendor Due Diligence and Third-Party Risk Management services help firms identify and manage risks posed by vendors, such as those vulnerable to exploits like CVE-2025-24813. By leveraging thorough assessments and ongoing monitoring, these services pinpoint vendors that could expose sensitive data or systems, enabling proactive risk mitigation.
• ACA Vantage for Cyber provides targeted cyber health insights for portfolio companies, focusing on areas like patch management and vulnerability remediation. Combining expert advisory, ComplianceAlpha^® technology, and RealRisk assessments, it helps pinpoint where additional support is needed to strengthen defences and maintain operational resilience.

Reach out to your ACA consultant, or contact us to find out how we can help secure your firm against cyber threats and comply with regulatory expectations.