4:30pm, 18 March 2025
TLP Rating:
CVE-2025-24813 affecting Apache Tomcat
CVE-2025-24813 could allow an unauthenticated attacker to upload a malicious serialised payload to a Tomcat server, leading to arbitrary code execution when certain conditions are met.
An upgrade to the latest version is available.
What's happening
Systems affected
Apache Tomcat versions:
• 11.0.0-M1 – 11.0.2
• 10.1.0-M1 – 10.1.34
• 9.0.0.M1 – 9.0.98
Applications that use the affected Apache Tomcat versions must also meet several conditions for an attacker to view the security sensitive files or inject content into those files. A separate list of conditions must be met for an attacker to gain RCE.
What this means
Listed Apache Tomcat versions with additional conditions met are vulnerable.
The NCSC is aware of a proof of concept (PoC) and open-source reporting of active exploitation of CVE-2025-24813.
What to look for
How to tell if you're at risk
If you are running an Apache Tomcat server within the listed versions and your installation also meets the additional conditions listed in the vendor advisory.
What to do
Prevention
• Upgrade to Apache Tomcat 11.0.3 or later
• Upgrade to Apache Tomcat 10.1.35 or later
• Upgrade to Apache Tomcat 9.0.99 or later
More information
Apache advisory:
If you require more information or further support, submit a report on our website or contact us on 0800 114 115.
For media enquiries, email our media desk at media@ncsc.govt.nz.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.