Apache Tomcat Vulnerability Exposes Servers to RCE Attacks
Apache Tomcat Vulnerability Exposes Servers to RCE Attacks
Apache Tomcat Vulnerability Exposes Servers to RCE Attacks
Information:
Apache Tomcat is an open-source web server and Servlet container for Java code. It's a production-ready Java development tool used to implement many types of Jakarta EE (formerly known as Java EE) specifications. Apache Tomcat 10.1.18 is the current Tomcat release and is still undergoing active development.
A remote code execution (RCE) attack is one where an attacker can run malicious code on an organization’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data.
Incident:
A critical security vulnerability in Apache Tomcat (CVE-2025-24813) has exposed servers to remote code execution (RCE), information disclosure, and data corruption risks.
The vulnerability stems from Tomcat’s implementation of partial PUT requests, which allow clients to upload files in segments.
The original code (patched in commit 0a668e0c) generated temporary filenames by replacing path separators (e.g., /) with internal dots (.), creating path equivalence vulnerabilities. Attackers could exploit this to:
- Bypass Security Controls: By crafting filenames like ../../sensitive/file.jsp, malicious actors could write files outside intended directories.
- Inject Malicious Content: Overwrite configuration files or JSPs, enabling RCE if the server processes these files.
- Expose Sensitive Data: Access restricted files via path traversal if the default servlet’s write permissions are enabled (disabled by default)
Incident:
For RCE, attackers require:
- Write-enabled default servlet (non-default configuration)
- Partial PUT support (enabled by default)
- File-based session persistence (default storage location)
- A deserialization-vulnerable library in the application stack
The vulnerability, tracked as CVE-2025-24813, affects the below versions -
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0-M1 to 9.0.98
Recommendation:
Update to the following versions of Apache Tomcat:
- Apache Tomcat – version 11.0.3 or later
- Apache Tomcat – version 10.1.35 or later
- Apache Tomcat – version 9.0.99 or later
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References:
-https://cybersecuritynews.com/apache-tomcat-vulnerability-rce-attacks/#google_vignette
-https://thehackernews.com/2025/03/apache-tomcat-vulnerability-comes-under.html
-https://www.cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-apache-tomcat-cve-2025-24813
-https://www.cloudflare.com/learning/security/what-is-remote-code-execution/
-https://www.jrebel.com/blog/what-is-apache-tomcat
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2010-5326 |
13/5/2016 |
14/3/2025 |
SAP NetWeaver |
Remote Code Execution - RCE |
10 |
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request, as exploited in the wild in 2013 through 2016, aka a "Detour" attack |
Update to Last version |
|
| 2 |
CVE-2018-14847 |
2/8/2018 |
14/3/2025 |
MikroTik RouterOS |
Directory Traversal |
9.1 |
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface |
Update to Last version |
https://app.opencve.io/cve/CVE-2018-14847 |
| 3 |
CVE-2025-1244 |
12/2/2025 |
15/3/2025 |
Emacs |
command injection |
8.8 |
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. |
Update to Last version |
https://app.opencve.io/cve/CVE-2025-1244
|
| 4 |
CVE-2024-46662 |
14/3/2025 |
14/3/2025 |
Fortinet FortiManager |
command injection |
8.3 |
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiManager versions 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3 allows attacker to escalation of privilege via specifically crafted packets |
Update to Last version |
|
| 5 |
CVE-2024-3368 |
20/5/2024 |
14/3/2025 |
The All in One SEO WordPress plugin |
Cross-Site Scripting (XSS) |
6.1 |
The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks |
Update to version 4.6.1.1 |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Ransomware gang creates tool to automate VPN brute-force attacks |
14/03/2025 |
Ransomware, Brute-Force |
EclecticIQ experts have detected ‘BRUTED’, Black Basta’s automated brute-forcing server, a Ransomware-as-a-service (RaaS) that targets VPN and Remote Access devices. In order to guess the domain password, it is necessary to extract the Common Name (CN) and Subject Alternative Names (SAN) from the SSL Certificates, which do not have to be official. the Black Basta group obtained the code from the guess, they expanded it within the organization and used the Cobalt Strike Ransomware Brute Ratel to attack the target machines. |
|
Ref: https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creates-automated-tool-to-brute-force-vpns/
25 March 2025
Viewed 113 time
