A critical vulnerability in Apache Tomcat, identified as CVE-2025-24813, is currently being exploited in the wild, posing significant risks to affected systems. This flaw, which has been assigned a CVSS score of 9.8, allows for remote code execution and information disclosure, and has been linked to Iranian IRGC data extortion operations.
The vulnerability affects Apache Tomcat versions from 11.0.0-M1 through 11.0.2 and from 10.1.0-M1 through 10. It exploits a path equivalence issue in the 'file.Name' (Internal Dot) that can lead to malicious content being added to uploaded files via the write-enabled Default Servlet. This flaw enables attackers to execute arbitrary code on vulnerable servers, potentially leading to severe data breaches and system compromises.
The exploitation of CVE-2025-24813 was observed within 21 days of its disclosure, highlighting the rapid pace at which threat actors are capitalizing on newly disclosed vulnerabilities. The vulnerability was published on March 10, 2025, and was added to the Known Exploited Vulnerabilities (KEV) catalog on April 1, 2025. The Exploit Prediction Scoring System (EPSS) has rated this vulnerability at 0.942, indicating a high likelihood of exploitation.
Security researchers have noted that a proof-of-concept (PoC) exploit is available, with at least 51 instances of it being shared within the cybersecurity community. This widespread availability of PoC exploits increases the risk of exploitation by a broader range of threat actors, beyond the initial attribution to the Iranian IRGC.
Organizations using affected versions of Apache Tomcat are urged to apply patches immediately to mitigate the risk of exploitation. The Apache Software Foundation has released updates to address this vulnerability, and administrators should prioritize these updates to protect their systems from potential attacks.
Given the critical nature of this vulnerability and its active exploitation, defenders should also monitor their systems for signs of compromise. Indicators of exploitation may include unexpected changes to uploaded files, unauthorized access attempts, and unusual network traffic patterns. Implementing additional security measures, such as web application firewalls and intrusion detection systems, can help detect and prevent exploitation attempts.
The rapid exploitation of CVE-2025-24813 underscores the importance of timely vulnerability management and patching. Organizations must remain vigilant and proactive in their cybersecurity efforts to defend against increasingly sophisticated and opportunistic threat actors.
CSURFACE