Exploiting CVE‑2025‑24813: Deep Dive into the absholi7ly PoC Repo
This blog post provides a concise, professional overview of the absholi7ly/POC-CVE-2025-24813 GitHub repository, which contains proof‑of‑concept code targeting CVE‑2025‑24813, a critical Apache Tomcat vulnerability.
🚨 Vulnerability Overview (CVE‑2025‑24813)
CVE‑2025‑24813 is a path‑equivalence and deserialization flaw in Apache Tomcat that can lead to unauthenticated remote code execution (RCE), information disclosure, or file manipulation under specific non‑default configurations. The flaw affects Tomcat versions 9.0.0‑M1 through 9.0.98, 10.1.0‑M1 through 10.1.34, and 11.0.0‑M1 through 11.0.2 0.
Exploitation requires:
default servlet
write enabled (disabled by default)
- support for partial PUT uploads (enabled by default)
- file-based session persistence using default storage location
- presence of a vulnerable deserialization library.
Once abused, attackers can upload a .session
file via PUT, then trigger a GET request with the matching JSESSIONID
cookie to deserialize and execute malicious Java code.
📁 Repository Contents
The GitHub repo includes:
- README.md – Explains vulnerability context, prerequisites, usage, and expected output.
- CVE_2025_24813.py – Python script to automate exploitation steps.
- LICENSE – Apache‑2.0 license allowing free reuse and adaptation.
- .gitignore
🧪 PoC Script: CVE_2025_24813.py
Written in Python, this script performs:
- PUT write check to target endpoint (e.g. uploading
check.txt
)
- Generates a serialized Java payload (
payload.ser
)
- Uploads the payload into Tomcat’s session storage directory via path traversal (
../sessions/
)
- Triggers deserialization by sending a GET request with
JSESSIONID
- Reports success/failure and cleans up temporary files
Typical output includes lines such as:
[+] Server is writable via PUT: ...
[*] Session ID: absholi7ly
[+] Payload generated successfully: payload.ser
[+] Exploit succeeded! Server returned 500 after deserialization.
✅ Exploit Prerequisites
Successful exploitation hinges on:
- Vulnerable Tomcat version deployed
- Writable default servlet and enabled partial PUT
- File-based session persistence with predictable session directory
- Use of vulnerable Java libraries capable of deserialization attack4
- Access to
ysoserial.jar
or similar to generate the Java payload (Java environment required)
The README covers common failure cases (e.g. HTTP 403 on upload) and cleanup behavior 5.
⚠️ Risk Context & Observed Activity
- The vulnerability was disclosed on March 10, 2025 and rapidly labelled critical (CVSS 9.8) by NVD.
- Exploitation attempts were detected in the wild within days, including scanning traffic targeting
.session
payloads.
- Multiple firms (Akamai, Zscaler, Palo Alto Unit 42) published detection, mitigation guidance, and Indicators of Compromise (IoCs).
- However, real-world successful RCE incidents remain unconfirmed; many reports are unsuccessful probe attempts.
🛡️ Mitigation & Detection
✅ Patching
Upgrade to:
- Apache Tomcat 9.0.99 or newer
- 10.1.35 or newer
- 11.0.3 or newer
⚙️ Configuration Hardening
- Disable write access on the default servlet (
readonly="true"
).
- Disable partial PUT support (
allowPartialPut="false"
in web.xml
) .
🔍 Detection
Monitor for:
- Unexpected PUT requests and
.session
file uploads
- Suspicious GET requests with
JSESSIONID
values
- Newly created JSP or session files in webapps folders.
🧪 Scanning
Use Nuclei or custom templates to detect vulnerable servers before patching, including tools from Unit 42 and Recorded Future.
📝 Summary
This repository delivers a streamlined Python PoC to test for exploitation of CVE‑2025‑24813. It reliably demonstrates how, under certain misconfigurations, Tomcat can be abused via partial PUT and session deserialization to allow unauthenticated RCE.
For defenders: patch vulnerable Tomcat versions, audit servlet configurations, and monitor file upload activities. For penetration testers: this PoC can help validate exploitability in legal, controlled environments.
📚 Further Reading
- Apache NVD Advisory on CVE‑2025‑24813
- Security analysis from Akamai, Zscaler, Palo Alto Unit 42, Rapid7
- Use public PoCs and detection scripts responsibly, only in environments you are authorized to test.
This post offers a high-level yet precise snapshot of the PoC repo and its relevance in securing Tomcat deployments.