Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security researchers have poured cold water on claims that a recently reported Apache Tomcat bug is being “actively exploited”.
On 11 March, the Apache Software Foundation revealed a “potential” remote code execution vulnerability in its Apache Tomcat server solution.
Soon after, researchers at API security firm Wallarm warned of active exploitation of CVE-2025-24813 in the wild, leading to several media outlets sharing the alarming news.
“A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild,” a Wallarm spokesperson said in a 17 March blog post.
“Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers.”
However, according to Rapid7, the situation isn’t nearly as dire as the headlines would have you believe.
“Here at Rapid7, our usual bar for calling a vulnerability an emergent threat is either known exploitation at scale, or likelihood of exploitation at scale,” Rapid7’s Caitlin Condon said in a 19 March blog post.
“Apache Tomcat CVE-2025-24813 fulfils neither of these criteria, despite a variety of news headlines alleging broad exploitation in the wild.”
As Condon notes, Tomcat is widely used and has seen a number of severe vulnerabilities, but they all follow a very particular pattern for a threat actor to exploit, and this new CVE “follows the same pattern”.
“TL;DR,” Condon said. “Patch, but there’s no need to panic.”
Essentially, while a proof-of-concept for an exploit does exist, there are at least five conditions that need to be achieved before a malicious actor can view or modify sensitive files and four conditions that would allow an actor to execute code remotely.
According to Rapid7’s study of the CVE and the PoC exploit, successful exploitation relies on a particular Apache Tomcat configuration, and one that is “relatively uncommon” at that – Rapid7 could only find about 200 Tomcat projects configured in that particular manner.
As for the reports of exploitation, the issue seems to have been blown out of proportion.
“CVE-2025-24813 has reportedly been exploited in the wild; however, Rapid7 has been unable to confirm any successful exploitation occurring against real-world production environments,” Condon said.
“We assess that ‘exploitation’ in this context likely means unsuccessful exploit attempts rather than successful compromise of production systems.”
These are the versions impacted by the vulnerability:
You can read Rapid7’s ETR here and the Apache Foundation’s advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
