TL;DR

CVE-2025-24813 is a critical (CVSS 9.8) remote code execution vulnerability in Apache Tomcat's default servlet. When readonly is set to false, an attacker can upload a malicious serialised Java object via partial PUT requests and trigger deserialization to execute arbitrary code on your server. If your Tomcat instances haven't been patched to 9.0.99+, 10.1.35+, or 11.0.2+, and especially if any deployment has readonly disabled on the default servlet, you are at immediate risk.​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​

1. The Bug — Root Cause

Apache Tomcat's DefaultServlet handles static file serving. It also supports HTTP partial PUT — a mechanism where a client can upload a file in segments by appending a suffix to the request path. The flaw lives in how Tomcat resolves the target path during a partial PUT when the servlet's readonly parameter is set to false.

Here's the vulnerable configuration that enables the attack:​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌​​‌‍​‌

‌‌​‌​​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​‌‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌​​​

<!-- web.xml or default servlet init-param -->
<servlet>
  <servlet-name>default</servlet-name>
  <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
  <init-param>
    <param-name>readonly</param-name>
    <param-value>false</param-value>  <!-- THIS IS THE ENABLER -->
  </init-param>
</servlet>

When readonly is false, Tomcat permits PUT and DELETE on the default servlet. The partial PUT implementation constructs the target file path by stripping the upload suffix from the request URI. If an attacker sends a PUT to a path ending in the upload suffix, Tomcat writes the payload to a calculated location on disk. The problem: Tomcat does not validate that the resolved path lands in a safe directory, and it does not sanitise the content before writing it as a serialised Java object.

The vulnerable code path in DefaultServlet.doPut() calls recombinePartialPutFile(), which reads the uploaded bytes and writes them to the resolved path — without restricting file extensions, directories, or content type.

2. The Exploit — What an Attacker Chains Together

The full exploitation chain has three stages:

Stage 1 — Upload a gadget chain payload. The attacker sends a partial PUT request containing a malicious serialised Java object. Libraries like Commons Collections, Commons BeanUtils, or Spring framework on the classpath provide "gadget chains" — sequences of Java classes whose deserialization triggers arbitrary method calls, culminating in Runtime.exec().

PUT /uploads/../../session.ser/<upload-suffix> HTTP/1.1
Host: target.com.au
Content-Type: application/java-serialized-object
Content-Length: 2847

[serialised ysoserial CommonsCollections6 payload]

The path traversal component (../../) means the attacker can write the serialised payload into directories the application later reads from — specifically, Tomcat's session persistence directory or a classpath-accessible location.

Stage 2 — Trigger deserialization. Tomcat's session manager persists HTTP sessions to disk as serialised Java objects. When an attacker can place a .ser file in the session storage path, Tomcat deserialises it automatically when it attempts to load that session — no user interaction required beyond a request with the matching JSESSIONID.

Stage 3 — Achieve RCE. The gadget chain executes during deserialization, running arbitrary OS commands as the Tomcat process user (often root in poorly configured SMB deployments).

The entire chain requires: readonly=false on the default servlet, a gadget chain library on the classpath, and a reachable Tomcat instance. No authentication is needed.

3. The Blast Radius — Who's Actually Vulnerable

For Australian SMBs, the risk profile breaks down like this:

High risk:

  • Any Tomcat deployment where someone changed readonly to false — this is sometimes done to enable file upload via WebDAV-style PUT, and is common in older internal apps and hastily deployed proof-of-concept projects
  • Spring Boot applications bundled with embedded Tomcat that include Commons Collections in their dependency tree (very common)
  • Internet-facing Tomcat instances on ports 8080/8443 without a WAF or reverse proxy filtering PUT methods

Elevated risk:

  • Internal Tomcat apps behind VPNs — lateral movement after initial access makes these exploitable during broader intrusions
  • Tomcat instances running as root — RCE becomes full system compromise

Lower risk but not zero:

  • Default Tomcat installations where readonly remains true — the vulnerability exists but the primary exploitation path is blocked. However, security researchers have identified secondary paths involving specific servlet configurations

According to Shodan data, over 800,000 Tomcat instances are publicly reachable. Australian government and SMB infrastructure accounts for a meaningful slice — particularly healthcare, education, and local government sectors running legacy Java applications.

4. The Patch — What the Vendor Fix Does

Apache patched this in Tomcat versions 9.0.99, 10.1.35, and 11.0.2. The fix has two components:

  1. Path validation in recombinePartialPutFile() — the resolved target path is now checked against the allowed upload directory. Path traversal via ../ sequences is rejected before any file write occurs.

  2. Content type restriction — partial PUT requests with Content-Type: application/java-serialized-object are now explicitly blocked by the default servlet when readonly=false.

The patch is minimal and surgical — it doesn't change the partial PUT mechanism itself, just hardens the validation around it. This means existing legitimate file upload workflows are unaffected.

Action for SMBs:

# Check your Tomcat version
./catalina.sh version

# If below 9.0.99 / 10.1.35 / 11.0.2, upgrade immediately
# On Ubuntu/Debian:
sudo apt update && sudo apt install libtomcat9-java tomcat9

# Verify readonly is true (default) in all deployed web.xml files:
grep -r "readonly" /etc/tomcat9/ /var/lib/tomcat9/webapps/*/WEB-INF/web.xml

5. Detection — Log Lines, Indicators, and Sigma Rules

Apache Tomcat Access Log Indicators

Look for these patterns in /var/log/tomcat9/localhost_access_log.*:

192.168.x.x - - [24/Apr/2026:03:14:22 +1000] "PUT /uploads/../../work/Catalina/localhost/_/SESSIONS.ser/upload_abc123 HTTP/1.1" 204 -
192.168.x.x - - [24/Apr/2026:03:14:22 +1000] "PUT /context/../sessions.ser/upload HTTP/1.1" 201 -

Key indicators: PUT method, path traversal sequences (../), .ser or .session in the URL, and content type application/java-serialized-object.

Nginx Reverse Proxy Filter (if fronting Tomcat)

# Block suspicious PUT requests before they reach Tomcat
if ($request_method = PUT) {
    set $block_put 1;
}
if ($uri ~* "\.\./|\.ser|\.session") {
    set $block_put "${block_put}1";
}
if ($block_put = "11") {
    return 403;
}

Sigma Rule

title: Apache Tomcat Partial PUT RCE CVE-2025-24813
id: a7c3f1e2-4b5d-6789-abcd-ef0123456789
status: stable
description: Detects exploitation of CVE-2025-24813 via partial PUT with path traversal
author: lil.business
date: 2026/04/24
references:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-24813
logsource:
    category: webserver
    product: apache_tomcat
detection:
    selection_method:
        cs-method: 'PUT'
    selection_path:
        cs-uri|contains:
            - '../'
            - '..\'
            - '.ser'
    selection_content:
        sc-status:
            - 200
            - 201
            - 204
    condition: selection_method and selection_path and selection_content
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025-24813

Crowdsec Scenario

If you're running Crowdsec in front of Tomcat (recommended for Australian SMBs wanting community threat intelligence):

sudo cscli collections install crowdsecurity/http-cve
sudo cscli decisions list  # review blocked IPs after deployment

The http-cve collection includes detection patterns for partial PUT abuse and path traversal in Tomcat contexts.

FAQ

Q: Is my Tomcat instance vulnerable if I haven't changed any default settings?

A: The default configuration (readonly=true) blocks the primary exploitation path. However, upgrading to a patched version is still strongly recommended — secondary attack paths exist, and defence in depth matters. Check all deployed web.xml files, not just the global one, as individual applications can override the default servlet configuration.

Q: We run Spring Boot. Does this affect us?

A: Yes, if you're using embedded Tomcat (the default) and your application includes Commons Collections, Commons BeanUtils, or similar libraries on the classpath. Spring Boot's embedded Tomcat inherits the same default servlet behaviour. Upgrade your Spring Boot version to one that bundles a patched Tomcat.

Q: What if we can't upgrade immediately?

A: Block PUT and DELETE methods at your reverse proxy or WAF. In Nginx, add limit_except GET HEAD POST { deny all; } in the location block proxying to Tomcat. In Cloudflare, create a WAF rule blocking PUT requests containing ../ or .ser in the URI. This is a stopgap — patching is the real fix.

Q: How do we check if we've already been exploited?

A: Examine Tomcat access logs for PUT requests with path traversal patterns. Check for unexpected .ser or .session files in ${CATALINA_BASE}/work/Catalina/. Review process execution logs for commands spawned by the Tomcat user that don't correlate with legitimate application activity. Run find /var/lib/tomcat9/ -name "*.ser" -mtime -30 to find recently created serialisation files.

Conclusion

CVE-2025-24813 is a textbook example of how a single configuration change (readonly=false) can transform a well-understood servlet into a remote code execution vector. The exploitation chain is reliable, the prerequisites are common in real-world deployments, and the impact is full server compromise. For Australian SMBs running Java applications — particularly in healthcare, education, and local government — this is the kind of vulnerability that warrants immediate verification, not quarterly patching cycles.

Your action items: audit all Tomcat instances for readonly=false, verify versions against the patched releases, deploy the Sigma rule above to your SIEM or log aggregation system, and block PUT methods at the reverse proxy layer as a defence-in-depth measure.

Visit consult.lil.business for a free cybersecurity assessment — we'll check your exposed services, identify vulnerable configurations, and give you a prioritised remediation plan in plain English.

References

  1. NVD — CVE-2025-24813 Detail
  2. Apache Tomcat Security Advisories
  3. Australian Cyber Security Centre — Vulnerability Disclosure Guidance
  4. SANS — Java Deserialization Attack Chain Analysis

TL;DR

  • A bug in Apache Tomcat (a program that runs websites) lets attackers take control of a server.
  • Attackers started using it just 30 hours after someone showed how it works online.
  • There's a fix — just update to the newest version of Tomcat.

What Happened, in Plain English?

Imagine your school has lockers. Now imagine someone figured out that sliding a specially shaped package through the air vent makes the locker open itself and follow whatever instructions are inside — even "give me everyone's lunch money."

That's basically what happened with Apache Tomcat, a program millions of companies use to run websites [5]. A bug called CVE-2025-24813 lets an attacker send a sneaky file to the server [1]. When the server opens it, it follows the hidden instructions, giving the attacker control [8].

The scary part: someone posted a how-to guide online, and within 30 hours, real attackers were already using it [2].

Which Versions Are Affected?

Three "flavours" of Tomcat have this bug [1]:

  • Tomcat 9: versions 9.0.0-M1 through 9.0.98 → update to 9.0.99
  • Tomcat 10: versions 10.1.0-M1 through 10.1.34 → update to 10.1.35
  • Tomcat 11: versions 11.0.0-M1 through 11.0.2 → update to 11.0.3

What Should You Do?

  1. Find your Tomcat servers. Check which version each one is running.
  2. Update them. Install the patched version (9.0.99, 10.1.35, or 11.0.3) [1].
  3. Check your settings. Make sure the server doesn't let unknown visitors upload files [10].
  4. Clean up old libraries. Remove or update outdated Java libraries that are known to be unsafe [7][8].

FAQ

Yes. Tomcat often runs behind the scenes in tools you might not realise depend on it [5].

No — it's a small point-release designed to change as little as possible. Test in staging first, then roll it out [1].

Serious enough that CISA flagged it [4], but completely fixable with a straightforward update. The fix costs minutes; ignoring it could cost millions [6][9].

References

[1] Apache Software Foundation, "CVE-2025-24813: Apache Tomcat - Potential RCE and/or Information disclosure," Apache Tomcat Security, Mar. 2025.

[2] Wallarm, "CVE-2025-24813: Apache Tomcat RCE Exploited in the Wild," Wallarm Research, Mar. 2026.

[3] NIST National Vulnerability Database, "CVE-2025-24813 Detail," NVD, 2025.

[4] CISA, "Known Exploited Vulnerabilities Catalog," CISA.gov, 2026.

[5] Shodan, "Apache Tomcat Server Distribution," Shodan.io, 2026.

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025.

[7] ASD Australian Signals Directorate, "Essential Eight Maturity Model," Australian Government, 2025.

[8] OWASP, "Deserialization of Untrusted Data," OWASP Top 10, 2021.

[9] Verizon, "Data Breach Investigations Report 2025," Verizon, 2025.

[10] SecurityWeek, "Apache Tomcat Vulnerability Important to Patch, Difficult to Exploit," SecurityWeek, Mar. 2026.

Want help checking your servers or setting up automatic updates? We can walk you through it.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation