Attackers started exploitation of Apache Tomcat vulnerability just 30 hours after its proof of concept was made public. Tracked as CVE-2025-24813, the vulnerability may allow an unauthorized attacker to view sensitive files or inject arbitrary content into those files utilizing a PUT request. The vulnerability originates from the use of a partial PUT used, a temporary file based on the user provided file name and path with the path separator replaced by “.”.
Apache Tomcat is a free, open-source web server and servlet container. The server provides a Java-based environment for running web applications that use technologies like Java Servlets and JavaServer Pages (JSP).
Prerequisites for the exploitation of the vulnerability
- Writes enabled for the default servlet (disabled by default)
- Support for partial PUT (enabled by default)
- A target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
- Attacker knowledge of the names of security-sensitive files being uploaded
- The security files are also being uploaded via partial PUT.
Affected Versions
- Apache Tomcat Affects: 9.0.0.M1 to 9.0.98
- Apache Tomcat Affects: 11.0.0-M1 to 11.0.2
- Apache Tomcat Affects: 10.1.0-M1 to 10.1.34
Mitigation
- Apache Tomcat 9.0.99
- Apache Tomcat 11.0.3
- Apache Tomcat 10.1.35
Please refer to the Apache Tomcat Security Advisories for more information.
Qualys Detection
Qualys customers can scan their devices with QIDs 732321, 732322, and 732323 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.99
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.3
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.35
