Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5sgv-7nsz-5fa8
Vulnerability ID VCID-5sgv-7nsz-5fa8
Aliases CVE-2025-24813
GHSA-83qj-6fr2-vhqg
Summary
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-44 Path Equivalence: 'file.name' (Internal Dot)
CWE-502 Deserialization of Untrusted Data
CWE-41 Improper Resolution of Path Equivalence
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
epss 0.94165 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.94165 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.94165 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 9.8 https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
cvssv4 9.2 https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
generic_textual CRITICAL https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-83qj-6fr2-vhqg
cvssv3.1 9.8 https://github.com/apache/tomcat
cvssv4 9.2 https://github.com/apache/tomcat
generic_textual CRITICAL https://github.com/apache/tomcat
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
cvssv4 9.2 https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
generic_textual CRITICAL https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
cvssv4 9.2 https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
generic_textual CRITICAL https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
cvssv4 9.2 https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
generic_textual CRITICAL https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
cvssv3.1 10 https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
cvssv3.1 9.8 https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
cvssv4 9.2 https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
generic_textual CRITICAL https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
ssvc Attend https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
cvssv3.1 9.8 https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
cvssv4 9.2 https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
generic_textual CRITICAL https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2025-24813
cvssv4 9.2 https://nvd.nist.gov/vuln/detail/CVE-2025-24813
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2025-24813
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20250321-0001
cvssv4 9.2 https://security.netapp.com/advisory/ntap-20250321-0001
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20250321-0001
cvssv3.1 9.8 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
cvssv4 9.2 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
generic_textual CRITICAL https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
cvssv4 9.2 https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
cvssv4 9.2 https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
cvssv4 9.2 https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
cvssv4 9.2 https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
cvssv3.1 9.8 http://www.openwall.com/lists/oss-security/2025/03/10/5
cvssv4 9.2 http://www.openwall.com/lists/oss-security/2025/03/10/5
generic_textual CRITICAL http://www.openwall.com/lists/oss-security/2025/03/10/5
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
https://api.first.org/data/v1/epss?cve=CVE-2025-24813
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
https://nvd.nist.gov/vuln/detail/CVE-2025-24813
https://security.netapp.com/advisory/ntap-20250321-0001
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
http://www.openwall.com/lists/oss-security/2025/03/10/5
2351129 https://bugzilla.redhat.com/show_bug.cgi?id=2351129
CVE-2025-24813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813
CVE-2025-24813 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52134.txt
GHSA-83qj-6fr2-vhqg https://github.com/advisories/GHSA-83qj-6fr2-vhqg
RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454
RHSA-2025:3455 https://access.redhat.com/errata/RHSA-2025:3455
RHSA-2025:3608 https://access.redhat.com/errata/RHSA-2025:3608
RHSA-2025:3609 https://access.redhat.com/errata/RHSA-2025:3609
RHSA-2025:3645 https://access.redhat.com/errata/RHSA-2025:3645
RHSA-2025:3646 https://access.redhat.com/errata/RHSA-2025:3646
RHSA-2025:3647 https://access.redhat.com/errata/RHSA-2025:3647
RHSA-2025:3683 https://access.redhat.com/errata/RHSA-2025:3683
RHSA-2025:3684 https://access.redhat.com/errata/RHSA-2025:3684
RHSA-2025:7494 https://access.redhat.com/errata/RHSA-2025:7494
RHSA-2025:7497 https://access.redhat.com/errata/RHSA-2025:7497
USN-7525-1 https://usn.ubuntu.com/7525-1/
USN-7525-2 https://usn.ubuntu.com/7525-2/
Data source Exploit-DB
Date added April 7, 2025
Description Apache Tomcat 11.0.3 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date April 7, 2025
Exploit type webapps
Platform multiple
Source update date April 7, 2025
Data source Metasploit
Description This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the <tomcat_root_dir>/webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet, and org.apache.catalina.session.PersistentManager must be configured to use org.apache.catalina.session.FileStore. Verified working on 10.1.16-1
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
  - artifacts-on-disk
Ransomware campaign use Unknown
Source publication date March 10, 2025
Platform Linux,Unix,Windows
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/tomcat_partial_put_deserialization.rb
Data source KEV
Date added April 1, 2025
Description Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
Required action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date April 22, 2025
Note 
This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-04-01T19:37:06Z/ Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://security.netapp.com/advisory/ntap-20250321-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://security.netapp.com/advisory/ntap-20250321-0001
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H Found at http://www.openwall.com/lists/oss-security/2025/03/10/5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A Found at http://www.openwall.com/lists/oss-security/2025/03/10/5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99916
EPSS Score 0.94165
Published At April 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:04.025743+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-11.html 38.0.0