Search for vulnerabilities
Vulnerability details: VCID-xwgq-td7d-uydt
Vulnerability ID VCID-xwgq-td7d-uydt
Aliases CVE-2025-24813
GHSA-83qj-6fr2-vhqg
Summary tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-44 Path Equivalence: 'file.name' (Internal Dot)
CWE-502 Deserialization of Untrusted Data
CWE-706 Use of Incorrectly-Resolved Name or Reference
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
epss 0.88451 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.88451 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.88451 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.92462 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.92462 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9254 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.92958 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.92958 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.92958 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9324 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9324 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9324 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93392 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93395 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93444 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93463 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9351 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9351 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9351 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93547 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93547 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93628 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93628 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93628 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93648 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93655 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93672 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93672 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93672 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93682 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93682 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93682 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93709 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93709 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93709 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93709 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9371 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.9371 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93871 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
epss 0.93871 https://api.first.org/data/v1/epss?cve=CVE-2025-24813
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813
cvssv3.1 8.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 9.8 https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
generic_textual CRITICAL https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-83qj-6fr2-vhqg
cvssv3.1 9.8 https://github.com/apache/tomcat
generic_textual CRITICAL https://github.com/apache/tomcat
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
generic_textual CRITICAL https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
generic_textual CRITICAL https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
cvssv3.1 9.8 https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
generic_textual CRITICAL https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
cvssv3.1 9.8 https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
generic_textual CRITICAL https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
ssvc Attend https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
ssvc Track* https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
cvssv3.1 9.8 https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
generic_textual CRITICAL https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2025-24813
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2025-24813
cvssv3.1 9.8 https://security.netapp.com/advisory/ntap-20250321-0001
generic_textual CRITICAL https://security.netapp.com/advisory/ntap-20250321-0001
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
cvssv3.1 9.8 https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
generic_textual CRITICAL https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
cvssv3.1 9.8 http://www.openwall.com/lists/oss-security/2025/03/10/5
generic_textual CRITICAL http://www.openwall.com/lists/oss-security/2025/03/10/5
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
https://api.first.org/data/v1/epss?cve=CVE-2025-24813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24813
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
https://security.netapp.com/advisory/ntap-20250321-0001
https://security.netapp.com/advisory/ntap-20250321-0001/
http://www.openwall.com/lists/oss-security/2025/03/10/5
2351129 https://bugzilla.redhat.com/show_bug.cgi?id=2351129
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
CVE-2025-24813 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52134.txt
CVE-2025-24813 https://nvd.nist.gov/vuln/detail/CVE-2025-24813
CVE-2025-24813-DETECT-APACHE-TOMCAT-RCE https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
CVE-2025-24813-MITIGATE-APACHE-TOMCAT-RCE https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
GHSA-83qj-6fr2-vhqg https://github.com/advisories/GHSA-83qj-6fr2-vhqg
j5fkjv2k477os90nczf2v9l61fb0kkgq https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
RHSA-2025:3454 https://access.redhat.com/errata/RHSA-2025:3454
RHSA-2025:3455 https://access.redhat.com/errata/RHSA-2025:3455
RHSA-2025:3608 https://access.redhat.com/errata/RHSA-2025:3608
RHSA-2025:3609 https://access.redhat.com/errata/RHSA-2025:3609
RHSA-2025:3645 https://access.redhat.com/errata/RHSA-2025:3645
RHSA-2025:3646 https://access.redhat.com/errata/RHSA-2025:3646
RHSA-2025:3647 https://access.redhat.com/errata/RHSA-2025:3647
RHSA-2025:3683 https://access.redhat.com/errata/RHSA-2025:3683
RHSA-2025:3684 https://access.redhat.com/errata/RHSA-2025:3684
RHSA-2025:7494 https://access.redhat.com/errata/RHSA-2025:7494
RHSA-2025:7497 https://access.redhat.com/errata/RHSA-2025:7497
USN-7525-1 https://usn.ubuntu.com/7525-1/
USN-7525-2 https://usn.ubuntu.com/7525-2/
Data source Exploit-DB
Date added April 7, 2025
Description Apache Tomcat 11.0.3 - Remote Code Execution
Ransomware campaign use Unknown
Source publication date April 7, 2025
Exploit type webapps
Platform multiple
Source update date April 7, 2025
Data source KEV
Date added April 1, 2025
Description Apache Tomcat contains a path equivalence vulnerability that allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.
Required action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Due date April 22, 2025
Note 
This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq ; https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Ransomware campaign use Unknown
Data source Metasploit
Description This module exploits a Java deserialization vulnerability in Apache Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to place an attacker controlled deserialization payload in the <tomcat_root_dir>/webapps/ROOT/ directory. For the exploit to succeed, writes must be enabled for the default servlet, and org.apache.catalina.session.PersistentManager must be configured to use org.apache.catalina.session.FileStore. Verified working on 10.1.16-1
Note 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
  - artifacts-on-disk
Ransomware campaign use Unknown
Source publication date March 10, 2025
Platform Linux,Unix,Windows
Source URL https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/tomcat_partial_put_deserialization.rb
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-04-01T18:42:06Z/ Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Vector: SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-17T15:28:23Z/ Found at https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20250321-0001
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2025/03/10/5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99472
EPSS Score 0.88451
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-03-28T05:41:56.860284+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-24813.json 36.0.0