Apache Tomcat: Attacks on critical security vulnerability ongoing

A serious security vulnerability in Apache Tomcat allows attackers to inject malicious code. Attackers are currently doing the same – high time for IT managers to apply the available security updates.

The US IT security authority CISA warns of the observed attacks on the vulnerability. As usual, however, it does not discuss the nature and scope of the attacks. It is therefore currently unclear how admins can recognize whether their systems have been attacked or even compromised.

Apache Tomcat: Critical security vulnerability

The vulnerability is found in the processing of partial PUT requests. The cause is an internally used dot in a file path, the Apache Tomcat developers explain in their security announcement. “The original implementation of partial PUT used a temporary file that used a file name and path specified by the user, with the path separator replaced by a dot '.'”, they summarize the problem there (CVE-2025-24813, CVSS 9.8, risk “critical”).

As a solution, the developers state that admins should update to the bug-fixed Apache Tomcat versions 9.0.99, 10.1.35 and 11.0.3 or newer. This will seal the security leaks.

An exploit was published around three weeks ago that demonstrates the misuse of the vulnerability. However, it is unclear whether the observed attacks on Apache Tomcat servers are based on this. However, admins should install the available software updates immediately if they have not already done so.

The abuse of security vulnerabilities to infiltrate malicious code by cyber criminals is practically the order of the day. IT managers are therefore well advised to install available security updates promptly. In some cases, however, this is already too late. Last week, for example, Google closed a security gap in the Chrome web browser – although it was already under attack in the wild at the time.

(dmk)