# Exploiting CVE‑2025‑24813: Deep Dive into the absholi7ly PoC Repo This blog post provides a concise, professional overview of the **absholi7ly/POC-CVE-2025-24813** GitHub repository, which contains proof‑of‑concept code targeting **CVE‑2025‑24813**, a critical Apache Tomcat vulnerability. --- ## 🚨 Vulnerability Overview (CVE‑2025‑24813) CVE‑2025‑24813 is a **path‑equivalence and deserialization flaw** in Apache Tomcat that can lead to **unauthenticated remote code execution (RCE)**, information disclosure, or file manipulation under specific non‑default configurations. The flaw affects Tomcat versions **9.0.0‑M1 through 9.0.98**, **10.1.0‑M1 through 10.1.34**, and **11.0.0‑M1 through 11.0.2** 0. Exploitation requires: - `default servlet` write enabled (disabled by default) - support for **partial PUT** uploads (enabled by default) - **file-based session persistence** using default storage location - presence of a vulnerable deserialization library. Once abused, attackers can upload a `.session` file via PUT, then trigger a GET request with the matching `JSESSIONID` cookie to deserialize and execute malicious Java code. --- ## 📁 Repository Contents The GitHub repo includes: - **README.md** – Explains vulnerability context, prerequisites, usage, and expected output. - **CVE_2025_24813.py** – Python script to automate exploitation steps. - **LICENSE** – Apache‑2.0 license allowing free reuse and adaptation. - **.gitignore** --- ## 🧪 PoC Script: CVE_2025_24813.py Written in Python, this script performs: 1. **PUT write check** to target endpoint (e.g. uploading `check.txt`) 2. Generates a serialized Java payload (`payload.ser`) 3. Uploads the payload into Tomcat’s session storage directory via path traversal (`../sessions/`) 4. Triggers deserialization by sending a GET request with `JSESSIONID` 5. Reports success/failure and cleans up temporary files Typical output includes lines such as: ``` [+] Server is writable via PUT: ... [*] Session ID: absholi7ly [+] Payload generated successfully: payload.ser [+] Exploit succeeded! Server returned 500 after deserialization. ``` ## ✅ Exploit Prerequisites Successful exploitation hinges on: - Vulnerable Tomcat version deployed - Writable default servlet and enabled partial PUT - File-based session persistence with predictable session directory - Use of vulnerable Java libraries capable of deserialization attack4 - Access to `ysoserial.jar` or similar to generate the Java payload (Java environment required) The README covers common failure cases (e.g. HTTP 403 on upload) and cleanup behavior 5. ## ⚠️ Risk Context & Observed Activity - The vulnerability was disclosed on **March 10, 2025** and rapidly labelled critical (CVSS 9.8) by NVD. - Exploitation attempts were detected in the wild within days, including scanning traffic targeting `.session` payloads. - Multiple firms (Akamai, Zscaler, Palo Alto Unit 42) published detection, mitigation guidance, and Indicators of Compromise (IoCs). - However, real-world successful RCE incidents remain unconfirmed; many reports are unsuccessful probe attempts. --- ## 🛡️ Mitigation & Detection ### ✅ Patching Upgrade to: - **Apache Tomcat 9.0.99 or newer** - **10.1.35 or newer** - **11.0.3 or newer** ### ⚙️ Configuration Hardening - Disable write access on the default servlet (`readonly="true"`). - Disable partial PUT support (`allowPartialPut="false"` in `web.xml`) . ### 🔍 Detection Monitor for: - Unexpected **PUT requests** and `.session` file uploads - Suspicious GET requests with `JSESSIONID` values - Newly created JSP or session files in webapps folders. ### 🧪 Scanning Use Nuclei or custom templates to detect vulnerable servers before patching, including tools from Unit 42 and Recorded Future. --- ## 📝 Summary This repository delivers a streamlined Python PoC to test for exploitation of **CVE‑2025‑24813**. It reliably demonstrates how, under certain misconfigurations, Tomcat can be abused via partial PUT and session deserialization to allow unauthenticated RCE. For defenders: patch vulnerable Tomcat versions, audit servlet configurations, and monitor file upload activities. For penetration testers: this PoC can help validate exploitability in legal, controlled environments. ### 📚 Further Reading - Apache NVD Advisory on CVE‑2025‑24813 - Security analysis from Akamai, Zscaler, Palo Alto Unit 42, Rapid7 - Use public PoCs and detection scripts responsibly, only in environments you are authorized to test. This post offers a high-level yet precise snapshot of the PoC repo and its relevance in securing Tomcat deployments.

Support Crack-Vault and help us keep providing free tools. Every donation counts! (BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn

CVE‑2025‑24813

NikolasHume

Exploiting CVE‑2025‑24813: Deep Dive into the absholi7ly PoC Repo

This blog post provides a concise, professional overview of the absholi7ly/POC-CVE-2025-24813 GitHub repository, which contains proof‑of‑concept code targeting CVE‑2025‑24813, a critical Apache Tomcat vulnerability.

🚨 Vulnerability Overview (CVE‑2025‑24813)

CVE‑2025‑24813 is a path‑equivalence and deserialization flaw in Apache Tomcat that can lead to unauthenticated remote code execution (RCE), information disclosure, or file manipulation under specific non‑default configurations. The flaw affects Tomcat versions 9.0.0‑M1 through 9.0.98, 10.1.0‑M1 through 10.1.34, and 11.0.0‑M1 through 11.0.2 0.

Exploitation requires:

default servlet write enabled (disabled by default)
support for partial PUT uploads (enabled by default)
file-based session persistence using default storage location
presence of a vulnerable deserialization library.

Once abused, attackers can upload a .session file via PUT, then trigger a GET request with the matching JSESSIONID cookie to deserialize and execute malicious Java code.

📁 Repository Contents

The GitHub repo includes:

README.md – Explains vulnerability context, prerequisites, usage, and expected output.
CVE_2025_24813.py – Python script to automate exploitation steps.
LICENSE – Apache‑2.0 license allowing free reuse and adaptation.
.gitignore

🧪 PoC Script: CVE_2025_24813.py

Written in Python, this script performs:

PUT write check to target endpoint (e.g. uploading check.txt)
Generates a serialized Java payload (payload.ser)
Uploads the payload into Tomcat’s session storage directory via path traversal (../sessions/)
Triggers deserialization by sending a GET request with JSESSIONID
Reports success/failure and cleans up temporary files

Typical output includes lines such as:

[+] Server is writable via PUT: ...
[*] Session ID: absholi7ly
[+] Payload generated successfully: payload.ser
[+] Exploit succeeded! Server returned 500 after deserialization.

✅ Exploit Prerequisites

Successful exploitation hinges on:

Vulnerable Tomcat version deployed
Writable default servlet and enabled partial PUT
File-based session persistence with predictable session directory
Use of vulnerable Java libraries capable of deserialization attack4
Access to ysoserial.jar or similar to generate the Java payload (Java environment required)

The README covers common failure cases (e.g. HTTP 403 on upload) and cleanup behavior 5.

⚠️ Risk Context & Observed Activity

The vulnerability was disclosed on March 10, 2025 and rapidly labelled critical (CVSS 9.8) by NVD.
Exploitation attempts were detected in the wild within days, including scanning traffic targeting .session payloads.
Multiple firms (Akamai, Zscaler, Palo Alto Unit 42) published detection, mitigation guidance, and Indicators of Compromise (IoCs).
However, real-world successful RCE incidents remain unconfirmed; many reports are unsuccessful probe attempts.

🛡️ Mitigation & Detection

✅ Patching

Upgrade to:

Apache Tomcat 9.0.99 or newer
10.1.35 or newer
11.0.3 or newer

⚙️ Configuration Hardening

Disable write access on the default servlet (readonly="true").
Disable partial PUT support (allowPartialPut="false" in web.xml) .

🔍 Detection

Monitor for:

Unexpected PUT requests and .session file uploads
Suspicious GET requests with JSESSIONID values
Newly created JSP or session files in webapps folders.

🧪 Scanning

Use Nuclei or custom templates to detect vulnerable servers before patching, including tools from Unit 42 and Recorded Future.

📝 Summary

This repository delivers a streamlined Python PoC to test for exploitation of CVE‑2025‑24813. It reliably demonstrates how, under certain misconfigurations, Tomcat can be abused via partial PUT and session deserialization to allow unauthenticated RCE.

For defenders: patch vulnerable Tomcat versions, audit servlet configurations, and monitor file upload activities. For penetration testers: this PoC can help validate exploitability in legal, controlled environments.

📚 Further Reading

Apache NVD Advisory on CVE‑2025‑24813
Security analysis from Akamai, Zscaler, Palo Alto Unit 42, Rapid7
Use public PoCs and detection scripts responsibly, only in environments you are authorized to test.

This post offers a high-level yet precise snapshot of the PoC repo and its relevance in securing Tomcat deployments.

📱

Download Now—Top Software, No Cost!