{"id":467,"date":"2025-03-19T16:30:21","date_gmt":"2025-03-19T16:30:21","guid":{"rendered":"https:\/\/www.techrepublic.com\/?p=4298508"},"modified":"2025-03-19T16:30:21","modified_gmt":"2025-03-19T16:30:21","slug":"stealthy-apache-tomcat-critical-exploit-bypasses-security-filters-are-you-at-risk","status":"publish","type":"post","link":"https:\/\/blog.tecnoartesanos.com\/index.php\/2025\/03\/19\/stealthy-apache-tomcat-critical-exploit-bypasses-security-filters-are-you-at-risk\/","title":{"rendered":"Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk?"},"content":{"rendered":"
\"Kurilian
Image: cynoclub\/Envato Elements<\/figcaption><\/figure>\n

Apache Tomcat is under attack as cybercriminals actively exploit a recently disclosed vulnerability, enabling remote code execution (RCE). With simple HTTP requests, attackers can trigger the deserialisation of malicious data and gain control over affected systems.<\/p>\n

The vulnerability, CVE-2025-24813<\/a>, was disclosed by Apache on March 10, with the first proof of concept<\/a> being released on GitHub about 30 hours later, posted by user iSee857. Soon after, security firm Wallarm later saw that this was being leveraged in the wild, warning that the attacks are undetectable to traditional security filters as HTTP requests appear normal and malicious payloads are base64-encoded.<\/p>\n

First, an attacker sends a PUT request containing an encoded, serialised Java payload, which is then written inside Tomcat\u2019s session storage and automatically saved in a file. Then they send a GET request with a JSESSIONID cookie pointing to the malicious session.<\/p>\n

When Tomcat processes this request, it deserialises the session data without proper validation, executing the embedded malicious Java code and giving the attacker full remote access.<\/p>\n

SEE: How to Use the Apache Web Server to Install and Configure a Website<\/a><\/strong><\/p>\n