CVE-2025-24813 Scanner
Apache Tomcat Remote Code Execution (RCE) vulnerability allows attackers to execute arbitrary code due to improper handling of filenames.
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
17 days 7 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
Apache Tomcat is an open-source Java-based web server developed by the Apache Software Foundation. It is widely used to deploy Java servlets, Java Server Pages (JSP), and WebSocket applications. Apache Tomcat is employed extensively across various industries, including banking, e-commerce, healthcare, and telecommunications, to host and run web applications. Its popularity stems from its ease of use, scalability, and compatibility with multiple operating systems. Tomcat functions as both a standalone web server and as a servlet container behind web servers like Apache HTTP Server. It is a critical component for Java application hosting, ensuring dynamic web content delivery.
This vulnerability involves path equivalence and improper handling of internal dot ('.') characters in file names, which can lead to remote code execution. Attackers exploit the vulnerability by uploading malicious content through the default servlet, particularly when it is write-enabled. The internal handling of file names can be manipulated, bypassing security checks designed to prevent code execution. By exploiting this flaw, attackers may execute arbitrary Java code remotely on the server. The issue also potentially leads to unauthorized access or disclosure of sensitive information stored on the affected system. Apache Tomcat versions before 11.0.3, 10.1.35, and 9.0.98 are vulnerable.
Technically, the vulnerability arises from the improper sanitization and handling of filenames containing internal dots by Apache Tomcat’s Default Servlet. The servlet incorrectly processes requests containing specially crafted file names, allowing attackers to leverage path equivalence issues. The vulnerable endpoint is typically the Default Servlet configured with write permissions enabled, accessible via HTTP PUT requests. Attackers exploit the vulnerable parameter, specifically the filename parameter in HTTP requests, to inject malicious payloads into the server. Once uploaded, these payloads can be executed through subsequent crafted HTTP requests, leading to unauthorized command execution. The vulnerability is reproducible via crafted PUT requests to endpoints that handle file uploads without proper validation. Successful exploitation allows attackers to execute arbitrary Java code on the vulnerable server, potentially compromising sensitive data. Attackers may leverage this access to gain full control of the affected system, deploy malware, or establish persistence. Confidentiality, integrity, and availability of the server could be severely impacted, affecting hosted applications and user data. In a worst-case scenario, attackers might escalate privileges within the affected environment, enabling lateral movement within a network. Such exploitation poses significant threats, including data breaches, service disruption, and long-term unauthorized access.
REFERENCES