Understand how Threat Led Penetration Testing (TLPT) establishes a foundation for DORA compliance Watch the video›

Tomcat CVE-2025-24813: What You Need to Know

Jon Williams headshot for new Tomcat CVE-2025-24613 video with Bishop Fox branding.

Share

Transcript Summary

Jon Williams, a security researcher at Bishop Fox, explains CVE-2025-24813, a remote code execution (RCE) vulnerability chain affecting Apache Tomcat. Despite widespread concern, most users are likely not affected. The exploit involves a two-step process requiring specific, non-default configurations: enabling file writing in the default servlet and supporting partial PUT requests, plus using file-based session storage without a custom location and having vulnerable Java libraries for deserialization-based RCE.

Key Points

  • Patches are available – update Tomcat immediately.
  • Most Tomcat instances are not vulnerable unless specific settings are misconfigured.
  • Reports of active exploitation may be exaggerated.
  • Exploitation requires rare configuration combinations.
  • No confirmed widespread exploitation yet.

Stay calm, patch your systems, and review configurations, but there's no need for panic.

Subscribe to our blog and advisories

Be first to learn about latest tools, advisories, and findings.


Jon Williams

About the author, Jon Williams

Senior Security Engineer

As a researcher for the Bishop Fox Capability Development team, Jon spends his time hunting for vulnerabilities and writing exploits for software on our customers' attack surface. He previously served as an organizer for BSides Connecticut for four years and most recently completed the Corelan Advanced Windows Exploit Development course. Jon has presented talks and written articles about his security research on various subjects, including enterprise wireless network attacks, bypassing network access controls, and malware reverse engineering.

More by Jon

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.