Overview
A newly disclosed vulnerability, CVE-2025-24813, affecting Apache Tomcat, has been identified as a high-risk path equivalence vulnerability that allows attackers to manipulate filenames with internal dots (.) under specific conditions, leading to unauthorized file access, modification, and potential remote code execution (RCE). The flaw is particularly dangerous when combined with partial PUT request support and default servlet write permissions, as it can allow attackers to overwrite or inject content into sensitive files.
If successfully exploited, CVE-2025-24813 could allow:
- Unauthorized file modification: Attackers could overwrite critical application files, logs, or configuration settings.
- Information Disclosure: Sensitive files could be exposed, leading to data leaks.
- Remote Code Execution (RCE): Could be possible if an attacker can modify a security-sensitive file in a way that enables execution of arbitrary code.
Imperva customers are protected against CVE-2025-24813.
Technical Details
Apache Tomcat is a widely used open-source Java-based web server and servlet container that supports JavaServer Pages (JSP) and other Java-based applications. CVE-2025-24813 arises from improper handling of path equivalence in Apache Tomcat, particularly when processing filenames containing internal dots (.). Under certain conditions—such as default servlet write permissions enabled and partial PUT requests supported—an attacker could modify sensitive files, leading to information disclosure, unauthorized modification, or even remote code execution, although writes are disabled for the default servlet by default, making this scenario less common. Tomcat is widely used in enterprise applications, cloud environments, and SaaS platforms, so this vulnerability poses a threat to organizations running vulnerable instances with all of the conditions enabled.
The following Apache Tomcat versions are confirmed to be affected:
- Tomcat 9.0.0.M1 to 9.0.98
- Tomcat 10.1.0-M1 to 10.1.34
- Tomcat 11.0.0-M1 to 11.0.2
Apache has released patches addressing this vulnerability in the latest versions. Organizations using older, unsupported versions of Tomcat should prioritize upgrades to patched releases, or apply mitigations where upgrading is not possible.
Attack Data
Imperva protects against CVE-2025-24813. Since its release, we’ve seen over 26,000 distinct attack attempts targeting sites all across the globe. Attack data shows that 97% of analyzed IPs involved in exploitation attempts are classified as high-risk, stressing the importance of threat intelligence in preventative security.
United States is by far the most frequently targeted country, at 66%, although we’ve seen attacks on almost every continent.
Attackers primarily target financial and business sites, which is common, as these industries handle large volumes of sensitive data, financial transactions, and valuable credentials, making them lucrative targets for fraud and data theft.
Conclusion
CVE-2025-24813 poses a risk to organizations running vulnerable Apache Tomcat instances, particularly those relying on session persistence mechanisms. By applying patches, implementing proper configurations, and utilizing security solutions like Imperva Web Application Firewall (WAF)—which protects against CVE-2025-24813—businesses can effectively mitigate the risks associated with this vulnerability.
Imperva Cloud WAF customers are protected against this vulnerability out-of-the-box. A mitigation for on-premises WAF Gateway customers is available in ADC content.
For organizations seeking enhanced protection against web application threats, Imperva’s security solutions offer robust defense mechanisms tailored to modern cyber threats.
The post Imperva Protects Against Apache Tomcat Deserialization Vulnerability appeared first on Blog.
