A newly discovered remote code execution (RCE) vulnerability, CVE-2025-24813, is actively being exploited, putting Apache Tomcat servers at risk—malicious actors need but a single PUT API request to gain full control over vulnerable systems.
The exploit was initially published by a Chinese forum user, iSee857, with a proof-of-concept (PoC) code now readily available online.
How a Simple PUT Request Leads to Full RCE
The attack takes advantage of Tomcat’s default session persistence mechanism and its support for partial PUT requests. Wallarm says it follows a straightforward two-step process:
Step 1: Uploading a Malicious Serialized Session
According to Wallarm: “The attacker starts by sending a PUT request to upload a malicious session file to the server. The payload is a base64-encoded ysoserial gadget chain, designed to trigger remote code execution when deserialized. This request writes a file inside Tomcat’s session storage directory. Because Tomcat automatically saves session data in files, the malicious payload is now stored on disk, waiting to be deserialized.”
Step 2: Triggering Execution via Session Cookie
“Once the session file is uploaded, the attacker triggers deserialization by sending a simple GET request with the JSESSIONID pointing to the malicious session. Tomcat, seeing this session ID, retrieves the stored file, deserializes it, and executes the embedded Java code, granting full remote access to the attacker,” the researchers explained.
No Authentication Needed
This vulnerability is a major threat because it needs no authentication and exploits commonly used Tomcat session storage settings. Also, its use of base64 encoding helps malefactors fly under the radar of traditional security filters, making detection particularly tricky.
Unfortunately, most Web Application Firewalls (WAFs) are unable to detect this attack thanks to the PUT request appearing normal and containing no obviously malicious content. Also, Base64 encoding obscures the exploit from pattern-based detection, and another factor is the attack’s multi-step nature, where the harmful execution occurs only during deserialization.
By the time a firm notices the breach in its logs, significant damage may have already been done.
How Wallarm Detects and Blocks This Threat in Real-Time
Unlike traditional WAFs, Wallarm’s API security platform provides real-time protection against such attacks through:
- Decoding base64 payloads before analysis, revealing hidden attacks.
- Unpacking and inspecting serialized Java objects, detecting ysoserial exploits instantly.
- Tracking multi-step attacks, recognizing when a session file upload leads to code execution.
- Blocking malicious API requests in real-time, preventing the session file from ever being used.
Wallarm first detected an attack using CVE-2025-24813 on 12 March at 12:38 PM CST, originating from Poland—days before the public PoC appeared on GitHub.
Real-Time API Security is Vital
Wallarm says while this exploit abuses session storage, the greater issue is partial PUT handling in Tomcat, which enables uploading practically any file anywhere. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage.”
CVE-2025-24813 is a sign of the rapid evolution of cyber threats, as it went from disclosure to active exploitation in a mere 30 hours. This is why traditional reactive security measures, such as waiting for CVE patches and relying on WAF rule updates, are no longer good enough.
According to Wallarm, entities must move towards proactive security strategies, including real-time threat detection, automated payload decoding, and deep inspection. They also need to look at advanced API security solutions that are able to block attacks as they happen.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.