Apache Tomcat CVE-2025-24813: How a Single PUT Request Can Compromise Your Crypto Infrastructure

A critical remote code execution vulnerability in Apache Tomcat, tracked as CVE-2025-24813, is being actively exploited in the wild just 30 hours after proof-of-concept code was publicly released. The flaw represents a severe threat to cryptocurrency exchanges, wallet services, and blockchain infrastructure providers that rely on Tomcat-based application servers. With Bitcoin trading at approximately $84,075 and the total cryptocurrency market capitalization exceeding $2.7 trillion, the potential impact of this vulnerability on crypto platforms cannot be overstated.

The Threat Landscape

The vulnerability is a path equivalence flaw in Apache Tomcat that enables remote code execution or sensitive information disclosure under specific conditions. It affects multiple Tomcat versions: 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Wallarm researchers confirmed that attackers can hijack Apache Tomcat servers with a single PUT API request, making exploitation trivially simple once the prerequisites are met. The exploit code was originally published by a Chinese forum user operating under the handle iSee857 and quickly spread across security research communities. Since March 17, 2025, nearly 24,000 unique IP addresses attempted to exploit the vulnerability before traffic tapered off around March 26.

Core Principles

Understanding this vulnerability requires grasping how Tomcat handles partial PUT requests and session persistence. The attack exploits two Tomcat features in combination. First, Tomcat’s partial PUT implementation stores temporary files based on user-provided filenames with path separators replaced by periods. Second, Tomcat’s file-based session persistence stores serialized session objects on disk. The attack proceeds in two steps: the attacker uploads a malicious serialized Java session file containing a base64-encoded ysoserial gadget chain via a PUT request, then triggers execution by sending a GET request with a JSESSIONID cookie referencing the malicious session. Tomcat deserializes the payload and executes it, granting the attacker remote code execution on the server.

Tooling & Setup

Mitigating this vulnerability requires a multi-layered approach. First and most critically, update to patched Tomcat versions: 9.0.99, 10.1.35, or 11.0.3, which address the path equivalence flaw. For organizations unable to update immediately, disabling write access on the default servlet eliminates one of the required preconditions for exploitation. Disabling file-based session persistence removes another attack vector. Web Application Firewalls provide limited protection in this case — Wallarm researchers noted that most WAFs fail to detect this attack because the PUT request appears normal, the payload is base64-encoded to evade pattern-based detection, and execution occurs only during the deserialization step. Security teams should audit Tomcat configurations to verify that write-enabled default servlets are not exposed to the internet and that session persistence configurations follow the principle of least privilege.

Ongoing Vigilance

The speed of exploitation — just 30 hours from PoC release to mass scanning — demonstrates the critical importance of rapid patching cycles for infrastructure software. Cryptocurrency platforms running Tomcat-based services should implement automated vulnerability scanning that flags newly disclosed CVEs within hours of publication. Log analysis should focus on anomalous PUT requests to session storage paths and unexpected JSESSIONID values. Network monitoring should track outbound connections from Tomcat servers that could indicate successful exploitation and command-and-control communication. The scale of the scanning activity, with nearly 24,000 unique IPs participating, indicates that this vulnerability has been incorporated into automated exploitation toolkits used by both opportunistic attackers and more sophisticated threat actors.

Final Takeaway

The Apache Tomcat CVE-2025-24813 incident illustrates a broader pattern in cryptocurrency infrastructure security: the underlying application server layer is often neglected in favor of smart contract and blockchain-level security audits. Yet a compromised application server can expose private keys, database credentials, and API tokens just as effectively as a smart contract vulnerability. In an environment where Ethereum trades at $1,927 and Solana at $128, the economic incentive for attackers to exploit server-level vulnerabilities in crypto infrastructure has never been higher. Organizations should treat infrastructure security with the same rigor they apply to on-chain security, maintaining current patch levels, implementing defense-in-depth strategies, and preparing incident response procedures that can be activated within hours of a critical vulnerability disclosure.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific guidance.