The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Apache Tomcat vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation in the wild. 

The vulnerability, tracked as CVE-2025-24813, allows remote attackers to execute arbitrary code, access sensitive information, or inject malicious content through a path equivalence flaw in the popular web server software.

Apache Tomcat Path Equivalence Vulnerability

CVE-2025-24813 is a path equivalence vulnerability with a CVSS score of 9.8, representing a severe risk to organizations running unpatched Tomcat installations. 

The flaw originates from improper handling of partial PUT requests, allowing unauthenticated attackers to achieve remote code execution through a sophisticated attack chain.

“This vulnerability isn’t universally exploitable. It requires a confluence of specific configurations,” noted security researchers investigating the flaw. 

However, when these conditions align, the attack becomes “dead simple to execute,” according to Wallarm researchers cited in recent reports.

The vulnerability affects multiple versions of Apache Tomcat, including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. 

Security researchers have also confirmed that 8.5.x versions (specifically 8.5.0 to 8.5.98 and 8.5.100, excluding 8.5.99) are vulnerable, though these weren’t initially included in Apache’s advisory.

The summary of the vulnerability is given below:

Risk FactorsDetailsAffected ProductsApache Tomcat versions 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2Impact Remote Code Execution (RCE), Information Disclosure, Malicious Content Injection,Unauthorized modification of uploaded fileExploit PrerequisitesDefault servlet write capability, Partial PUT requests permitted, File-based session persistence, Presence of a deserialization-vulnerable library, Knowledge of internal file naming conventionsCVSS 3.1 Score9.8 (Critical)

Security experts have identified the exploitation process as follows:

Attackers send a PUT request containing a Base64-encoded serialized Java payload to the vulnerable server.

They follow with a GET request containing a specially crafted “JSESSIONID” cookie referencing the malicious session. This causes the server to deserialize the payload, triggering code execution.

For successful exploitation, several conditions must be met:

The default servlet must have write permissions enabled (disabled by default).

Partial PUT support must be enabled (enabled by default).

The application must use Tomcat’s file-based session persistence.

The application must include a deserialization-vulnerable library.

Remediation

CISA added CVE-2025-24813 to its KEV Catalog, noting it as a “frequent attack vector for malicious cyber actors” that poses “significant risks to the federal enterprise.” 

Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by April 22, 2025, per Binding Operational Directive (BOD) 22-01.

While the directive applies only to federal agencies, CISA “strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.”

Apache has released patched versions to address this vulnerability. Organizations should immediately upgrade to Apache Tomcat versions 9.0.99, 10.1.35, or 11.0.3, as appropriate for their environment.

Security experts also recommend these additional mitigation strategies:

Disable unnecessary HTTP methods.

Enforce strict access controls.

Deploy Web Application Firewalls (WAFs).

Implement continuous monitoring for threat indicators.

For organizations unable to patch immediately, reviewing server configurations to ensure the default servlet doesn’t have write permissions enabled can provide temporary mitigation, as this condition is required for successful exploitation.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free