Apache Tomcat CVE-2025-24813 Under Attack

Author

Newsroom
March 20, 2025

Attackers are targeting a serious remote code execution vulnerability in Apache Tomcat that the Apache Software Foundation patched on March 11. The details of the vulnerability and proof-of-concept exploit code are both publicly available.

Why It Matters: The vulnerability has been public for 10 days and under certain conditions, an attacker could use it to run arbitrary code on target machines. The flaw affects Tomcat versions 11.0.0-M1 through 11.0.2. Tomcat is widely deployed and is often a popular target for attackers. The good news is that the conditions under which an attacker can achieve RCE are not configured by default and not very common. “Like other researchers, our team found that the vendor’s exploitable configuration information differs from what we observed during testing. Additionally, our team assessed the exploitable configuration to be relatively uncommon,” Caitlin Condon of Rapid7 said in an analysis of the bug. 

Key Details

  • The ASF disclosed the bug on March 10 and released a fix for it

  • PoC exploit code has been available for several days

  • Researchers from GreyNoise have seen exploit attempts since March 11, and now multiple IP addresses are actively attempting to exploit the bug

  • “Within the visualizer, we first observed exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China. Notably, the Latvia-based IP showed no further activity after March 18, and the two IPs traced to Latvia and Italy are linked to a known VPN service. ‍Today, GreyNoise observed another exploit attempt from the U.S.-based IP. Both IPs from China and the United States are not spoofable,” the company said. 

  • Most of the exploit attempts are targeting systems in the U.S., with some of the remaining targets being in India, Mexico, and Japan, and South Korea

Although there are active attacks against CVE-2025-2481, they are limited at this point, and the conditions necessary for the RCE exploit to work are not common. So, organizations with vulnerable versions of Tomcat should deploy the patch, but it’s not an emergency situation, yet.