CVE-2025-24813 impacts Apache Tomcat

PravinKarthik

1 year ago

Comprehensive Analysis of CVE-2025-24813

1. Vulnerability Details

Type: Remote Code Execution (RCE) and Information Disclosure.
Affected Versions:
Apache Tomcat versions:
- 9.0.0-M1 to 9.0.98
- 10.1.0-M1 to 10.1.34
- 11.0.0-M1 to 11.0.2
Severity: High (CVSS score estimated around 9.0, reflecting its critical nature).
Disclosure: Discovered during routine security research and reported to the Apache Software Foundation in late 2024.

2. Root Cause

CVE-2025-24813 arises due to improper handling of partial PUT requests combined with mismanagement of file-based session persistence. These two conditions together create a scenario where malicious actors can exploit the vulnerability to achieve RCE:

Partial PUT Requests:

Apache Tomcat supports the PUT HTTP method for uploading files. The flaw lies in how partial PUT requests (where data is uploaded in fragments) are handled.
An attacker can manipulate these requests to write malicious files to unintended locations within the server.

File-Based Session Persistence:

When configured to use file-based session storage, Tomcat stores session data in serialized Java objects within a predefined directory.
This mechanism becomes exploitable when attackers can upload crafted Java serialized payloads into this directory.

Exploitation Steps

The exploitation of CVE-2025-24813 follows a multi-step attack chain. Here’s how an attacker might take advantage of this vulnerability:

Step 1: Gaining Access via a PUT Request

The attacker sends a partial PUT request to the vulnerable Tomcat instance.
Example: A PUT request is sent to upload a maliciously crafted Java serialized payload.
This payload contains executable code designed to trigger malicious actions when deserialized.

Step 2: Crafting the Malicious Payload

The attacker encodes a serialized Java payload, often using tools like ysoserial, to create the exploit.
The payload contains executable instructions, such as spawning a reverse shell or downloading additional malware.
This payload is saved to the Tomcat server’s session storage directory due to improper validation of the PUT request.

Step 3: Triggering the Malicious Code

Once the payload is uploaded, the attacker sends a GET request containing a malicious session identifier (JSESSIONID) that points to the serialized payload.
The Tomcat server, upon processing the request, deserializes the payload.
This deserialization process executes the embedded instructions within the malicious payload, allowing the attacker to run arbitrary code.

Step 4: Gaining Remote Control

If successful, the attacker achieves remote code execution. This grants them:
Full control over the Tomcat server.
The ability to install malware, exfiltrate sensitive data, escalate privileges, or pivot within the network.

Impact

Remote Code Execution (RCE):

Once RCE is achieved, attackers can run any command with the same privileges as the Tomcat server process.
This could lead to system compromise, data theft, or further exploitation.

Sensitive Data Exposure:

If the attacker gains access to critical files (e.g., configuration files, database credentials), it can result in significant data breaches.

Supply Chain Attacks:

Compromised Tomcat servers could be leveraged to inject malicious code into applications deployed on the server, affecting downstream users.

Lateral Movement:

The attacker could use the compromised server as a foothold to move laterally within the organization’s network.

Mitigation and Recommendations

To protect against CVE-2025-24813, it is critical to implement the following mitigation strategies:

1. Apply Security Patches

The Apache Software Foundation has released fixes for this vulnerability. Users should immediately upgrade to the latest patched versions:
9.0.99 or later.
10.1.35 or later.
11.0.3 or later.

2. Disable Partial PUT Requests

Disable the ability to handle partial PUT requests unless explicitly required. This can be done by reconfiguring Tomcat’s web.xml file:

<servlet> <servlet-name>default</servlet-name> <init-param> <param-name>readonly</param-name> <param-value>true</param-value> </init-param> </servlet>

3. Secure File-Based Session Persistence

Avoid using file-based session persistence whenever possible. Instead:
Use memory-based or database-backed session storage for added security.
If file-based persistence is unavoidable, restrict access to the session storage directory to authorized users only.

4. Deploy a Web Application Firewall (WAF)

Configure a WAF to inspect and block suspicious PUT and GET requests targeting Tomcat’s endpoints.

5. Monitor for Suspicious Activity

Audit server logs to detect anomalies, such as:
Unexpected PUT requests.
Unfamiliar session identifiers in GET requests.
Employ intrusion detection systems (IDS) to identify potential exploitation attempts.

6. Isolate Tomcat Deployments

Segregate Tomcat instances hosting critical applications from the rest of the network to limit the potential impact of exploitation.

Indicators of Compromise (IoCs)

Organizations should be vigilant for the following IoCs to detect possible exploitation of CVE-2025-24813:

Unusual PUT Requests:

Logs showing repeated or unexpected PUT requests with partial data uploads.

Suspicious Serialized Files:

Presence of suspicious .ser or serialized files in the session storage directory.

Unauthorized Process Execution:

Processes executing commands not typically associated with the Tomcat server.

Conclusion

The CVE-2025-24813 vulnerability underscores the importance of secure configurations and timely updates for widely deployed software like Apache Tomcat. By understanding the exploitation process and implementing robust defenses, organizations can mitigate the risks posed by this critical flaw and safeguard their infrastructure.