One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild – API Security

By /

Listen to this Post

URL: https://lab.wallarm.com/one-put-request-to-own-tomcat-cve-2025-24813-rce-is-in-the-wild/

A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to compromise Apache Tomcat servers.

You Should Know:

1. Vulnerability Overview

  • CVE ID: CVE-2025-24813
  • Affected Software: Apache Tomcat (versions 9.x, 10.x)
  • Exploit Method: Malicious PUT request leading to arbitrary file upload and RCE.
  • Impact: Full server compromise.

2. Detection & Mitigation

Check if your Tomcat is vulnerable:

curl -X PUT http://yourtomcatserver:8080/test.jsp -d "<% out.println(\"Vulnerable\"); %>"

If the server responds with a 201 Created, it is vulnerable.

**Mitigation Steps:**

1. **Update Tomcat** to the latest patched version.

2. **Disable PUT/DELETE methods** in `web.xml`:

<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>

3. Use a WAF (e.g., ModSecurity) to block malicious PUT requests: 

SecRule REQUEST_METHOD "^PUT$" "deny,status:403,id:1001"

#### **3. Exploit Simulation (For Ethical Testing)**

msfconsole
use exploit/multi/http/tomcat_put_rce
set RHOSTS <target_IP>
set RPORT 8080
set TARGETURI /
exploit

#### **4. Log Analysis for Compromise**

Check Tomcat logs for suspicious PUT requests:

grep "PUT" /var/log/tomcat/catalina.out

### **What Undercode Say:**

This vulnerability is critical due to its low attack complexity and high impact. System administrators must:
– Patch immediately.
– Monitor logs for PUT requests.
– Restrict unnecessary HTTP methods.
– Use fail2ban to block brute-force attempts.

**Additional Linux Commands for Security:**


<h1>Check running Tomcat processes</h1>

ps aux | grep tomcat

<h1>Verify installed Tomcat version</h1>

/usr/share/tomcat/bin/version.sh

<h1>Block IPs with suspicious PUT requests</h1>

iptables -A INPUT -p tcp --dport 8080 -m string --string "PUT" --algo bm -j DROP

### **Expected Output:**

A secured Tomcat server with disabled PUT/DELETE methods, updated patches, and monitored logs.

Kali Linux 2025.1a Release (2025 Theme, & Raspberry Pi) | Kali Linux Blog
URL: https://www.kali.org/blog/kali-linux-2025-1-release/

(Continued in next response due to length…)

References:

Reported By: Cherif Diallo – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: