Emergency Security Bulletin: Apache Tomcat Path Equivalence Vulnerability

featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.


VULNERABILITIES

Apache Tomcat Path Equivalence Vulnerability

CVSS Score: 5.5 (Medium)
Identifier: CVE-2025-24813
Exploit or POC: Yes, active exploitation has been observed in the wild.
Update: CVE-2025-24813 – Apache Security Advisory

Description: CVE-2025-24813 is a path equivalence vulnerability in Apache Tomcat versions 9.0.0.M1 through 9.0.98, 10.1.0-M1 through 10.1.34, and 11.0.0-M1 through 11.0.2. This flaw arises when the default servlet has write permissions enabled (disabled by default) and partial PUT requests are supported (enabled by default). Under these conditions, a malicious user could exploit the vulnerability to view sensitive files, inject content, or, in specific scenarios, achieve remote code execution.

Mitigation Recommendation: Patching is currently the only method of mitigation. Apache has released updates to address this vulnerability. Administrators are advised to update to Apache Tomcat versions 9.0.99, 10.1.35, or 11.0.3, as specified in the Apache Security Advisory. Immediate patching is recommended to prevent potential exploitation.

Note: Given the potential severity of this vulnerability, it is imperative to apply the recommended patches promptly to secure your systems.