Source URL: https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/
Source: The Register
Title: ‘Dead simple’ hijacking hole in Apache Tomcat ‘now actively exploited in the wild’
Feedly Summary: One PUT request, one poisoned session file, and the server’s yours
A trivial flaw in Apache Tomcat that allows remote code execution and access to sensitive files is said to be under attack in the wild within a week of its disclosure.…
AI Summary and Description: Yes
Summary: The text discusses a critical vulnerability (CVE-2025-24813) in Apache Tomcat that allows for remote code execution without authentication, making it especially concerning for organizations using this widely deployed web server software. The vulnerability has already been actively exploited in the wild, prompting warnings from authorities like the CISA.
Detailed Description: The provided text outlines a significant security flaw in Apache Tomcat, underlined by several alarming details about its exploitation and potential impact on affected systems. Here are the key points:
– **Vulnerability Overview**:
– The flaw is identified as CVE-2025-24813 and was disclosed on March 10.
– It allows unauthorized remote execution of code on servers running affected versions of Apache Tomcat.
– **Exploitation Timeline**:
– A publicly distributed exploit was made available just 30 hours post-disclosure, indicating high levels of threat and urgency.
– **Nature of the Attack**:
– There is no authentication required for exploiting this vulnerability.
– Attackers can perform remote code execution to gain full access to the server and sensitive data.
– **Operational Context**:
– Reports indicate that this vulnerability has already been exploited by malicious operators, specifically cited are activities from Chinese threat actors.
– The CISA was notified and is adding this exploit to their warning list.
– **Exploitation Mechanics**:
– The flaw can be exploited if Tomcat is configured to use file-based session storage, which is common in many deployments.
– Attackers upload a malicious session file using a PUT request, which, when deserialized, allows them to execute arbitrary Java code.
– A successful exploitation involves sending a GET request with a specific session ID targeting the malicious payload stored on disk.
– **Apache Foundation’s Advisory**:
– The foundation has rated this vulnerability as “important” but does not assign CVSS scores, leaving remediation decisions to users.
– The advisory specifies that four specific conditions must be met for remote code execution to be successful, including misconfigurations that are common but not universal.
– **Potential Consequences**:
– Apart from remote code execution, this flaw could also allow attackers to view or tamper with sensitive files under certain conditions.
– The vulnerability is present across multiple versions of Apache Tomcat, notably from 9.0.0.M1 to 9.0.98, making it highly relevant for many enterprise applications that rely on this software.
– **Security Considerations**:
– Organizations using Apache Tomcat need to ensure they apply relevant patches and configure security settings to mitigate this vulnerability effectively.
– Given the frequency of such attacks, maintaining robust monitoring and incident response plans is essential for affected companies.
This article highlights the critical role that security professionals must play in safeguarding applications running on widely used frameworks like Apache Tomcat, especially in light of rapidly emerging threats and exploits.