Hackers Are Actively Exploiting Apache Tomcat Servers – Patch Now!

By /

Listen to this Post

Threat actors are actively exploiting a critical vulnerability in Apache Tomcat, tracked as CVE-2025-24813, which could enable unauthorized remote code execution (RCE) on vulnerable servers. Attackers leverage a partial PUT method to inject malicious payloads, leading to arbitrary code execution. The root cause lies in how Apache Tomcat handles file paths during partial PUT requests.

🔗 Read more: https://lnkd.in/gZYEwWFN

You Should Know:

1. Verify Your Tomcat Version

Check if your Apache Tomcat is vulnerable by running: 

$CATALINA_HOME/bin/version.sh # Linux 
.\bin\version.bat # Windows

If your version is below 10.1.20, you are at risk.

2. Immediate Mitigation Steps

  • Disable PUT and DELETE methods in web.xml: 
    <security-constraint> 
<web-resource-collection> 
<url-pattern>/*</url-pattern> 
<http-method>PUT</http-method> 
<http-method>DELETE</http-method> 
</web-resource-collection> 
<auth-constraint /> 
</security-constraint>
  • Block suspicious IPs using iptables: 
    iptables -A INPUT -p tcp --dport 8080 -s <MALICIOUS_IP> -j DROP

3. Patch or Upgrade

  • Upgrade to Tomcat 10.1.20+: 
    wget https://downloads.apache.org/tomcat/tomcat-10/v10.1.20/bin/apache-tomcat-10.1.20.tar.gz 
tar -xzf apache-tomcat-10.1.20.tar.gz
  • Apply backported patches if upgrading isn’t feasible.

4. Monitor Logs for Exploitation Attempts

grep -i "PUT" $CATALINA_HOME/logs/localhost_access_log.*

Look for unusual file uploads (e.g., `.jsp`, `.war`).

5. Enforce Strict File Permissions

chmod -R 750 $CATALINA_HOME/webapps/ 
chown -R tomcat:tomcat $CATALINA_HOME/

6. Disable AJP Connector (If Unused)

Edit `server.xml` and comment out:

<!-- <Connector protocol="AJP/1.3" ... /> -->

What Undercode Say:

Apache Tomcat remains a prime target due to misconfigurations and delayed patching. Beyond patching:
– Use a WAF (ModSecurity) to block exploit attempts.
– Restrict network access to Tomcat ports (8080, 8009).
– Deploy SIEM rules for anomaly detection (e.g., spikes in PUT requests).
– Test backups—assume compromise if unpatched.

Expected Output:

[+] Tomcat version 10.1.20 installed. 
[+] PUT/DELETE methods disabled. 
[+] Malicious IPs blocked via iptables. 
[+] Log monitoring active for exploit patterns.

Stay vigilant—attackers move faster than patches. 🚨

References:

Reported By: Cybersecurity News – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: