Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-24813 -- CVSS 9.8 Vulnerability Briefing

CVE-2025-24813 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2025-24813 is a path equivalence vulnerability in Apache Tomcat's Default Servlet that enables remote code execution, information disclosure, and malicious content injection against deployments where the Default Servlet is configured with write access enabled.

Technical Detail

The flaw arises from improper handling of file names containing an internal dot (the "file.Name" path equivalence pattern), which allows an attacker to bypass intended access controls when interacting with the write-enabled Default Servlet. An unauthenticated remote attacker can craft a malicious HTTP PUT or GET request exploiting this path confusion to upload arbitrary content, retrieve sensitive files, or achieve remote code execution on the target server. Affected versions span Apache Tomcat 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2, with end-of-life branch 8.5.x also confirmed vulnerable; downstream distributions including Debian Linux and NetApp Bootstrap OS are additionally affected.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA as of this writing. However, the availability of a public PoC against a widely deployed web application server with a CVSS score of 9.8 significantly lowers the barrier for exploitation and warrants urgent remediation priority.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. Given the critical severity, broad deployment footprint of Apache Tomcat across enterprise and cloud environments, and the public availability of a PoC, opportunistic exploitation by unattributed actors is a realistic near-term concern.

What To Do

Organizations should upgrade Apache Tomcat immediately to version 11.0.3 or later, 10.1.35 or later, or 9.0.99 or later, depending on the branch in use. Deployments running end-of-life 8.5.x should migrate to a supported release as no official patch will be issued for that branch. As an interim workaround, disable write access on the Default Servlet by setting the "readonly" initialization parameter to "true" in the web.xml configuration, which eliminates the primary attack vector. Organizations should audit Tomcat configurations to confirm whether the Default Servlet has write access enabled, as this is not the default setting and represents a deliberate configuration choice that substantially increases exposure. Detection efforts should focus on anomalous PUT requests to the Default Servlet and file access patterns involving dotted file names in Tomcat access logs.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →