Threat & Vulnerability
- CVEAccess the latest CVE (Common Vulnerabilities and Exposures) updates, severity scores, and patch advisories to fortify your systems against known risks.
- Cyber CrimeTrack global cybercrime trends, from ransomware gangs to dark web markets. Explore law enforcement strategies and tools to combat digital crime.
- Data BreachAnalyze recent data breaches, their root causes, and lessons learned. Discover best practices to secure sensitive information and comply with privacy regulations.
- Hacking AlertGet actionable alerts on active cyberattacks, exploit kits, and phishing schemes. Protect your network with timely updates on emerging hacking tactics.
- ThreatStay ahead of evolving cyber threats, including malware, phishing, ransomware, and APTs. Explore real-world attack patterns, mitigation strategies, and threat actor insights to safeguard your digital assets.
- VulnerabilityDive into critical system weaknesses, misconfigurations, and software flaws. Learn how to identify, prioritize, and remediate vulnerabilities before attackers exploit them.
- Zero DayUncover unpatched software vulnerabilities and zero-day exploits. Know mitigation techniques to defend against undisclosed threats.
Security Posture
- BlockchainExplore blockchain vulnerabilities, smart contract audits, and crypto threats. Secure decentralized systems against hacks and fraud.
- Security Best PracticesStreamline your cybersecurity governance with expertly crafted policy templates, actionable procedures, and adaptive guidelines. Learn to design NIST/ISO-aligned policies, implement incident response workflows, and adopt industry standards like CIS Benchmarks or OWASP. Ideal for IT managers, compliance officers, and auditors seeking to build robust, audit-ready security programs while balancing flexibility and regulatory rigor.
- DFIRDive into DFIR frameworks, evidence collection, and breach response. Learn how to investigate incidents and recover from cyberattacks effectively.
- GRCAlign cybersecurity with business goals through governance policies, risk assessments, and compliance audits. Explore standards like GDPR, HIPAA, and SOC 2 to bridge security and regulatory requirements.
- Risk Management
- Technology & ToolsExplore cutting-edge cybersecurity technologies, from next-gen firewalls and SIEM platforms to AI-driven threat detection tools. Discover in-depth reviews, comparisons, and implementation guides for enterprise-grade software, open-source utilities, and emerging solutions. Stay updated on zero-day defenses, penetration testing frameworks, and automation tools that empower IT teams to outpace cyber adversaries.
- Threat IntelligenceAccess actionable threat intelligence feeds, adversary behavior analysis, and Indicators of Compromise (IOCs). Transform raw data into strategic defenses against APTs, ransomware, and cyber espionage.
- Zero TrustMaster Zero Trust principles, from micro-segmentation to continuous authentication. Build resilient networks that assume breach and verify every access request.
AIAnalyze AI-driven cyberattacks, ethical hacking tools, and machine learning defenses. Stay updated on how AI reshapes cybersecurity.
BusinessStay ahead in the fast-paced IT sector with breaking news, expert analyses of mergers & acquisitions, and thought leadership on tech business trends. Explore discussions on IT market shifts, startup innovations, and corporate strategies shaping cybersecurity, cloud computing, and enterprise tech. Ideal for CIOs, investors, and IT leaders navigating the evolving digital economy.
Knowledge BaseAccess a centralized repository of cybersecurity guides, glossaries, how-tos, and FAQs. From foundational concepts to advanced tactics, empower your team with step-by-step tutorials, downloadable templates, and expert-curated resources. Ideal for professionals, students, and enthusiasts seeking actionable knowledge to combat evolving threats.
ReviewsUnbiased reviews of firewalls, antivirus software, penetration testing tools, and security platforms. Make informed decisions for your tech stack.
EventsStay updated on global events, workshops, and summits. Network with experts and gain insights into cutting-edge security innovations.

More...

Threat & Vulnerability
- CVEAccess the latest CVE (Common Vulnerabilities and Exposures) updates, severity scores, and patch advisories to fortify your systems against known risks.
- Cyber CrimeTrack global cybercrime trends, from ransomware gangs to dark web markets. Explore law enforcement strategies and tools to combat digital crime.
- Data BreachAnalyze recent data breaches, their root causes, and lessons learned. Discover best practices to secure sensitive information and comply with privacy regulations.
- Hacking AlertGet actionable alerts on active cyberattacks, exploit kits, and phishing schemes. Protect your network with timely updates on emerging hacking tactics.
- ThreatStay ahead of evolving cyber threats, including malware, phishing, ransomware, and APTs. Explore real-world attack patterns, mitigation strategies, and threat actor insights to safeguard your digital assets.
- VulnerabilityDive into critical system weaknesses, misconfigurations, and software flaws. Learn how to identify, prioritize, and remediate vulnerabilities before attackers exploit them.
- Zero DayUncover unpatched software vulnerabilities and zero-day exploits. Know mitigation techniques to defend against undisclosed threats.
Security Posture
- BlockchainExplore blockchain vulnerabilities, smart contract audits, and crypto threats. Secure decentralized systems against hacks and fraud.
- Security Best PracticesStreamline your cybersecurity governance with expertly crafted policy templates, actionable procedures, and adaptive guidelines. Learn to design NIST/ISO-aligned policies, implement incident response workflows, and adopt industry standards like CIS Benchmarks or OWASP. Ideal for IT managers, compliance officers, and auditors seeking to build robust, audit-ready security programs while balancing flexibility and regulatory rigor.
- DFIRDive into DFIR frameworks, evidence collection, and breach response. Learn how to investigate incidents and recover from cyberattacks effectively.
- GRCAlign cybersecurity with business goals through governance policies, risk assessments, and compliance audits. Explore standards like GDPR, HIPAA, and SOC 2 to bridge security and regulatory requirements.
- Risk Management
- Technology & ToolsExplore cutting-edge cybersecurity technologies, from next-gen firewalls and SIEM platforms to AI-driven threat detection tools. Discover in-depth reviews, comparisons, and implementation guides for enterprise-grade software, open-source utilities, and emerging solutions. Stay updated on zero-day defenses, penetration testing frameworks, and automation tools that empower IT teams to outpace cyber adversaries.
- Threat IntelligenceAccess actionable threat intelligence feeds, adversary behavior analysis, and Indicators of Compromise (IOCs). Transform raw data into strategic defenses against APTs, ransomware, and cyber espionage.
- Zero TrustMaster Zero Trust principles, from micro-segmentation to continuous authentication. Build resilient networks that assume breach and verify every access request.
AIAnalyze AI-driven cyberattacks, ethical hacking tools, and machine learning defenses. Stay updated on how AI reshapes cybersecurity.
BusinessStay ahead in the fast-paced IT sector with breaking news, expert analyses of mergers & acquisitions, and thought leadership on tech business trends. Explore discussions on IT market shifts, startup innovations, and corporate strategies shaping cybersecurity, cloud computing, and enterprise tech. Ideal for CIOs, investors, and IT leaders navigating the evolving digital economy.
Knowledge BaseAccess a centralized repository of cybersecurity guides, glossaries, how-tos, and FAQs. From foundational concepts to advanced tactics, empower your team with step-by-step tutorials, downloadable templates, and expert-curated resources. Ideal for professionals, students, and enthusiasts seeking actionable knowledge to combat evolving threats.
ReviewsUnbiased reviews of firewalls, antivirus software, penetration testing tools, and security platforms. Make informed decisions for your tech stack.
EventsStay updated on global events, workshops, and summits. Network with experts and gain insights into cutting-edge security innovations.

Now Reading: CVE-2025-24813 : A Critical Apache Tomcat Path Equivalence Vulnerability

01
CVE-2025-24813 : A Critical Apache Tomcat Path Equivalence Vulnerability

Threat & Vulnerability//
- CVE//Access the latest CVE (Common Vulnerabilities and Exposures) updates, severity scores, and patch advisories to fortify your systems against known risks.
- Cyber Crime//Track global cybercrime trends, from ransomware gangs to dark web markets. Explore law enforcement strategies and tools to combat digital crime.
- Data Breach//Analyze recent data breaches, their root causes, and lessons learned. Discover best practices to secure sensitive information and comply with privacy regulations.
- Hacking Alert//Get actionable alerts on active cyberattacks, exploit kits, and phishing schemes. Protect your network with timely updates on emerging hacking tactics.
- Threat//Stay ahead of evolving cyber threats, including malware, phishing, ransomware, and APTs. Explore real-world attack patterns, mitigation strategies, and threat actor insights to safeguard your digital assets.
- Vulnerability//Dive into critical system weaknesses, misconfigurations, and software flaws. Learn how to identify, prioritize, and remediate vulnerabilities before attackers exploit them.
- Zero Day//Uncover unpatched software vulnerabilities and zero-day exploits. Know mitigation techniques to defend against undisclosed threats.
Security Posture//
- Blockchain//Explore blockchain vulnerabilities, smart contract audits, and crypto threats. Secure decentralized systems against hacks and fraud.
- Security Best Practices//Streamline your cybersecurity governance with expertly crafted policy templates, actionable procedures, and adaptive guidelines. Learn to design NIST/ISO-aligned policies, implement incident response workflows, and adopt industry standards like CIS Benchmarks or OWASP. Ideal for IT managers, compliance officers, and auditors seeking to build robust, audit-ready security programs while balancing flexibility and regulatory rigor.
- DFIR//Dive into DFIR frameworks, evidence collection, and breach response. Learn how to investigate incidents and recover from cyberattacks effectively.
- GRC//Align cybersecurity with business goals through governance policies, risk assessments, and compliance audits. Explore standards like GDPR, HIPAA, and SOC 2 to bridge security and regulatory requirements.
- Risk Management//
- Technology & Tools//Explore cutting-edge cybersecurity technologies, from next-gen firewalls and SIEM platforms to AI-driven threat detection tools. Discover in-depth reviews, comparisons, and implementation guides for enterprise-grade software, open-source utilities, and emerging solutions. Stay updated on zero-day defenses, penetration testing frameworks, and automation tools that empower IT teams to outpace cyber adversaries.
- Threat Intelligence//Access actionable threat intelligence feeds, adversary behavior analysis, and Indicators of Compromise (IOCs). Transform raw data into strategic defenses against APTs, ransomware, and cyber espionage.
- Zero Trust//Master Zero Trust principles, from micro-segmentation to continuous authentication. Build resilient networks that assume breach and verify every access request.
AI//Analyze AI-driven cyberattacks, ethical hacking tools, and machine learning defenses. Stay updated on how AI reshapes cybersecurity.
Business//Stay ahead in the fast-paced IT sector with breaking news, expert analyses of mergers & acquisitions, and thought leadership on tech business trends. Explore discussions on IT market shifts, startup innovations, and corporate strategies shaping cybersecurity, cloud computing, and enterprise tech. Ideal for CIOs, investors, and IT leaders navigating the evolving digital economy.
Knowledge Base//Access a centralized repository of cybersecurity guides, glossaries, how-tos, and FAQs. From foundational concepts to advanced tactics, empower your team with step-by-step tutorials, downloadable templates, and expert-curated resources. Ideal for professionals, students, and enthusiasts seeking actionable knowledge to combat evolving threats.
Reviews//Unbiased reviews of firewalls, antivirus software, penetration testing tools, and security platforms. Make informed decisions for your tech stack.
Events//Stay updated on global events, workshops, and summits. Network with experts and gain insights into cutting-edge security innovations.

Home
Vulnerability
CVE-2025-24813 : A Critical Apache Tomcat Path Equivalence Vulnerability

CVE-2025-24813 : A Critical Apache Tomcat Path Equivalence Vulnerability

Shammi SumuVulnerability, CVEMarch 20, 20251.1K Views

On March 10, 2025, a critical vulnerability in Apache Tomcat, identified as CVE-2025-24813, was publicly disclosed. This vulnerability, known as a path equivalence issue, affects how Apache Tomcat processes file paths internally. It has the potential to lead to remote code execution (RCE), severe information leakage, or malicious content injection, making it a significant concern for administrators and developers using this popular web server and Java servlet container.

Technical Details

Configuration Requirements

CVE-2025-24813 exploitation hinges on specific Tomcat configurations. The advisory outlines two universal prerequisites for all attack vectors:

Writes Enabled for the Default Servlet: By default, the readonly property of the DefaultServlet is set to true, preventing write operations via HTTP methods like PUT. To make a system vulnerable, this must be explicitly set to false in the web.xml configuration file, as shown below:

<servlet>
    <servlet-name>default</servlet-name>
    <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>
</servlet>

Support for Partial PUT: This is enabled by default in Tomcat, handled by the doPut() method in the DefaultServlet. No additional configuration is needed to satisfy this condition.

For the most severe outcome—remote code execution—an additional non-default configuration is required:

File-Based Session Persistence: The application must use Tomcat’s PersistentManager with the FileStore class for session persistence, storing session data as individual files in the default location (typically /var/lib/tomcat10/work/Catalina/<hostname>/<app>/ on Debian). This can be enabled by adding the following to the context.xml file (e.g., /etc/tomcat10/context.xml):

<manager classname="org.apache.catalina.session.PersistentManager" maxidlebackup="1" saveonrestart="true" processexpiresfrequency="1">
<br>
<store classname="org.apache.catalina.session.FileStore">
<br>
</store>
</manager>

Remote Code Execution: How It Works
For RCE, attackers exploit the overlap between the temporary file location and the session storage directory. Tomcat’s FileStore periodically parses files with a .session extension in the work directory as serialized Java objects. If an attacker can place a malicious .session file there, it will be deserialized, potentially executing arbitrary code.

However, direct overwriting of session files via executePartialPut() is thwarted because the path always begins with a /, resulting in a filename prefixed with a dot (e.g., .examples.x1.session). Attempts to bypass this restriction—using absolute paths, backslashes, encoded slashes, or Unicode tricks—proved ineffective due to Tomcat’s request normalization and security checks.

The breakthrough comes from a simpler approach: manually placing a crafted .session file in the work directory (or uploading it via a vulnerable configuration) and letting Tomcat’s session persistence mechanism handle the rest. This method doesn’t rely on the “path equivalence” aspect of the vulnerability but exploits the direct control over filenames allowed by the partial PUT logic.

A proof-of-concept (PoC) tested by Unit42 team of PaloAlto is here.

Impacts

If exploited, CVE-2025-24813 can lead to unauthenticated remote code execution, allowing attackers to execute arbitrary code on the affected server. Additionally, it can result in severe information leakage or the injection of malicious content, potentially corrupting critical server configuration files. The impact of this vulnerability is significant, as it can compromise the security and integrity of the affected systems.

Affected Versions

Affected Apache Tomcat versions:

Apache Tomcat 9.0.0.M1 to 9.0.98
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 11.0.0-M1 to 11.0.2

This vulnerability arises from improper normalization of file paths containing internal dots, allowing attackers to access or modify sensitive files. If exploited, it could lead to severe security risks for web applications and servers.

Mitigation and Recommendations

To mitigate the Apache Tomcat Path Equivalence Vulnerability, users should upgrade to one of the following patched versions:

11.0.3 or later
10.1.35 or later
9.0.99 or later

For end-of-life (EoL) 8.5.x versions, users should migrate to a supported Apache Tomcat branch. If immediate upgrading is not feasible, implementing network-level controls to restrict access to the Tomcat server is recommended to reduce the risk of exploitation.

Malicious IP sources attempting to exploit this CVE find from Greynoise.

For updated details, follow the Apache Software Foundation’s Security Advisory.

CVE-2025-24813 is a nuanced vulnerability, blending path equivalence flaws with session persistence quirks to enable serious attacks. While its full exploitation requires specific, non-default configurations, the potential for RCE, information disclosure, or data tampering makes it a notable risk. Administrators should patch to Tomcat 10.1.35 or later, verify readonly=true, and avoid file-based persistence unless necessary.