CVE-2025-24813 – Path Equivalence lead to Remote Code Execution in Apache Tomcat
A critical vulnerability, CVE-2025-24813, has been identified in Apache Tomcat. This vulnerability allows unauthenticated remote code execution (RCE) via crafted partial PUT requests, exploiting path equivalence issues in the default servlet when write permissions are enabled, and Tomcat’s file based session persistence (FileStore), having both configured should be relatively rare, nonetheless, Tomcat’s widespread. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The IONIX research team developed and tested an exploit simulation on relevant assets to verify the vulnerability’s impact and assess potential exposure. The findings are detailed in this post.