Skip to content

Hackers Can Completely Take Over Servers Using an Apache Tomcat Vulnerability!

A remote code execution (RCE) vulnerability in Apache Tomcat, identified as CVE-2025-24813, is actively being exploited by cybercriminals. This vulnerability allows attackers to gain full control over the server.

According to security experts, exploitation of this vulnerability is rapidly increasing. Organizations in financial services, healthcare, and government sectors are particularly at risk.

This vulnerability arises due to an error in the core processing components of Apache Tomcat. An attacker can send a malicious request to a vulnerable server without authentication and execute arbitrary code remotely.

🔴 Severity Level: Very High (CVSS 3.1 Score: 8.1 – High)
💻 Affected Versions:

  • Tomcat 9.0.0-M1 – 9.0.98
  • Tomcat 10.1.0-M1 – 10.1.34
  • Tomcat 11.0.0-M1 – 11.0.2

📌 Exploitation Prerequisites:

  • Ability to write Servlets
  • Support for Partial PUT requests
  • Session persistence enabled
  • Presence of a deserialization library

This vulnerability is particularly dangerous because it affects Tomcat’s fundamental request-handling mechanism. As a result, attackers can craft special requests to exploit the server.

Hackers have developed methods to bypass security restrictions using flaws in Tomcat’s request-handling process. The attack generally follows these stages:

1️⃣ Reconnaissance – Attackers search for unprotected Tomcat servers on the internet using tools like Nmap, Shodan, or Censys.

2️⃣ Exploiting the Vulnerable Server – The attacker sends specially crafted malicious requests, leveraging multiple techniques to bypass security mechanisms.

3️⃣ Gaining Persistence – If exploitation is successful, the attacker gains remote code execution (RCE) capabilities, allowing them to:

  • Deploy a web shell – enabling full control over the server.
  • Install a hidden cryptocurrency miner – hijacking server resources for unauthorized mining.
  • Deploy ransomware – encrypting server files and demanding a ransom for decryption.

Apache Tomcat users and administrators must take the following actions to secure their systems:

1. Update Apache Tomcat Immediately
🔹 Install the latest patched versions released by Apache to protect against CVE-2025-24813.

2. Strengthen Network Security
🔹 Block suspicious requests and restrict unauthorized access to the server.

3. Enable Logging and Monitoring
🔹 Regularly review logs for suspicious activity. SIEM (Security Information and Event Management) systems can help detect attacks in real time.

4. Restrict Tomcat Service Privileges
🔹 Avoid running Tomcat with administrator privileges. This reduces the impact if the server is compromised.

5. Deploy a Web Application Firewall (WAF)
🔹 Solutions like ModSecurity can filter out malicious requests before they reach Tomcat.

6. Use Network Scanning Tools
🔹 Regularly scan your network for vulnerable servers using Nmap, Nessus, or OpenVAS.

7. Update Snort IDS/IPS Rules
🔹 Configure Snort IDS/IPS to detect attacks targeting Tomcat servers.

The CVE-2025-24813 vulnerability in Apache Tomcat is extremely dangerous, allowing attackers to fully take over a server. As this vulnerability is actively being exploited, system administrators must immediately install updates and implement strong security measures.

🛡 Stay vigilant and update Apache Tomcat as soon as possible to protect your systems!