CVE-2025-24813 Detection: Apache Tomcat RCE Vulnerability Actively Exploited in the Wild
Table of contents:
A newly revealed RCE vulnerability in Apache Tomcat is under active exploitation, just 30 hours after its public disclosure and the release of a PoC. The successful exploitation of CVE-2025-24813 gives adversaries the green light to remotely execute code on targeted systems by leveraging unsafe deserialization.
Detect CVE-2025-24813 Exploitation Attempts
With the sharp increase in weaponized CVEs, proactive threat detection is more critical than ever. As 2025 begins, the NIST NVD has already documented 10,451 new security vulnerabilities, many of which have been actively exploited in real-world attacks. With cyber threats constantly evolving, security teams across the globe must focus on early detection strategies to outpace exploitation attempts and mitigate risks effectively.
Rely on SOC Prime Platform for collective cyber defense to obtain curated detection content on any active threat, backed by a complete product suite for advanced threat detection and hunting.
Possible CVE-2025-24813 (Apache Tomcat RCE) Exploitation Attempt (via webserver)
The detection is based on the publicly available PoC and helps to identify possible CVE-2025-24813 exploitation attempts, which may be done by adversaries in order to gain initial access to the vulnerable application. The rule is compatible with 22 SIEM, EDR, and Data Lake solutions and aligned with MITRE ATT&CK addressing the Initial Access tactic and the corresponding Exploit Public-Facing Application (T1190) technique.
Also, security professionals might press the Explore Detections button below to check for new rules being potentially added to address Apache Tomcat RCE exploitation.
Cyber defenders seeking more relevant content to detect cyber-attacks weaponizing trending vulnerabilities might access the whole relevant detection stack by searching Threat Detection Marketplace with “CVE” tag.
CVE-2025-24813 Analysis
Defenders have uncovered a new vulnerability in Apache Tomcat. This critical RCE flaw tracked as CVE-2025-24813, with a CVSS score reaching 9.8, has been actively exploited in in-the-wild attacks since its PoC exploit code was publicly released on GitHub. It allows hackers to gain control of servers through a PUT API request, which is typically used to update existing resources. RCE or data exposure can occur if the default servlet allows writes, partial PUT is enabled, sensitive files are uploaded to a public subdirectory of a public upload location, and an attacker knows those file names. In addition to the above-mentioned conditions, the flaw can be weaponized provided that the application utilized Tomcat’s file-based session persistence with the default storage location and included a library vulnerable to deserialization attacks. The security issue impacts software versions ranging from 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0-M1 to 9.0.98.
GreyNoise researchers have observed exploitation attempts from five distinct IP addresses, with most attacks targeting systems in the U.S., Japan, India, South Korea, and Mexico and over 70% of sessions aimed at U.S.-based systems, which increases the risks of organizations’ exposure to CVE-2025-24813 exploitation attempts if the potentially vulnerable software is in use.
As potential CVE-2025-24813 mitigation measures to reduce the risks of exploitation attempts, the vendor recommends updating immediately to Apache Tomcat 11.0.3 or higher, Apache Tomcat 10.1.35 or higher, or Apache Tomcat 9.0.99 or higher. With the ever-expanding attack surfaces and escalating numbers of cyber attacks leveraging CVE exploitation, global organizations are striving to strengthen defenses. SOC Prime curates a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection to provide security teams with cutting-edge technologies against emerging threats no matter their scale and sophistication.
