Understand how Threat Led Penetration Testing (TLPT) establishes a foundation for DORA compliance Watch the video›

Tomcat CVE-2025-24813: What You Need to Know

A breakdown of CVE-2025-24813 in Apache Tomcat—what it is, who’s actually at risk, and why most users likely aren’t affected. Keep calm and patch your servers.

A lot of noise is swirling around this Apache Tomcat RCE chain—but should you be worried? Our security researcher Jon Williams breaks it down:

  • Patches are available—upgrade immediately if you can.
  • Most Tomcat instances aren’t vulnerable unless specific settings are misconfigured.
  • Reports of active exploitation may be exaggerated.

    Jon Williams

    About the author, Jon Williams

    Senior Security Engineer

    As a researcher for the Bishop Fox Capability Development team, Jon spends his time hunting for vulnerabilities and writing exploits for software on our customers' attack surface. He previously served as an organizer for BSides Connecticut for four years and most recently completed the Corelan Advanced Windows Exploit Development course. Jon has presented talks and written articles about his security research on various subjects, including enterprise wireless network attacks, bypassing network access controls, and malware reverse engineering.

    More by Jon

    This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.