Researchers from GreyNoise have identified active exploitation of CVE-2025-24813, a remote code execution (RCE) vulnerability in Apache Tomcat web server software. This critical flaw, disclosed on March 10, affects several versions of Apache Tomcat, including versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. Following the public disclosure of a proof-of-concept exploit on a Chinese forum, there were immediate concerns about potential widespread exploitation. However, despite these concerns, the specific conditions necessary for successful exploitation mean that the flaw’s impact is expected to be limited.
Initial Discovery and Exploitation Attempts
Unveiling the Exploits
The initial observation of exploitation attempts surfaced just a week after the flaw’s disclosure. Cybersecurity startup Wallarm reported noticing exploit activities by March 17, closely following the publication of the proof-of-concept exploit. The successful exploitation of CVE-2025-24813 requires specific, non-default configurations, which are not commonly found in most Apache Tomcat setups. GreyNoise, an organization specializing in threat intelligence, identified four unique IP addresses attempting to exploit this vulnerability by employing a partial PUT method to deploy malicious payloads. These payloads could potentially enable arbitrary code execution on vulnerable systems.
Geographic Distribution of Attacks
Interestingly, a significant portion of this malicious activity has targeted U.S.-based Apache Tomcat instances. However, the reach of these attempts extends to other regions as well, including Japan, India, South Korea, and Mexico. The broad geographic distribution of these attacks indicates that while the initial exploitation attempts are relatively focused, the deployment of similar attacks could expand. This potential expansion underscores the importance of vigilance among organizations managing Apache Tomcat instances, even if they are not currently configured in a vulnerable manner.
Technical Conditions and Barriers to Widespread Exploitation
Specific Configuration Requirements
Despite early signs of exploitation, the conditions required for running a successful attack present a significant barrier to widespread exploitation. Cloudflare confirmed that remote code execution through this vulnerability requires support for partial PUT requests, knowledge of the target server’s file system structure, and familiarity with internal file naming conventions. Additionally, organizations need to enable writes for the default servlet, a configuration that is not commonly activated.
Consensus Among Security Experts
The consensus among security researchers aligns with the assessment that widespread exploitation is unlikely. Caitlin Condon from Rapid7 highlighted that these specific, non-standard configurations significantly reduce the probability of broader exploitation. Multiple experts reinforce this view, suggesting that while the initial activity indicates interest, the technical barriers will prevent extensive exploitation. The rarity of these configurations means that most Apache Tomcat servers will remain unaffected, providing some reassurance to organizations that have not actively altered their default settings.
Conclusion: Limited Impact and Future Vigilance
Researchers at GreyNoise have identified ongoing exploitation of CVE-2025-24813, a remote code execution (RCE) vulnerability found in Apache Tomcat web server software. This severe vulnerability, disclosed on March 10, impacts multiple versions of Apache Tomcat, specifically versions 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. The public disclosure of a proof-of-concept exploit on a Chinese forum immediately raised alarms about the potential for widespread exploitation.
Despite these significant concerns, the actual risk is somewhat mitigated due to the specific technical conditions required for successful exploitation. This means that, while the vulnerability is certainly critical, its impact will likely be constrained. System administrators are strongly advised to apply the necessary patches to mitigate any potential risk. To ensure the security of their environments, it is crucial to stay informed about updates and maintain vigilance in monitoring for unusual activity.