Tomcat vulnerability demands urgent patching

Critical Apache Tomcat vulnerability actively exploited – patch immediately

A critical vulnerability in Apache Tomcat has been found and is already being exploited in the wild. The flaw, tracked as CVE-2025-24813, allows remote code execution (RCE) – giving attackers the ability to run arbitrary code on vulnerable servers without needing to authenticate.

Since Apache Tomcat is one of the most widely used Java-based web servers, the vulnerability has far-reaching consequences for both private companies and public institutions.

What is CVE-2025-24813?

The vulnerability lies in how Tomcat handles HTTP/2 requests. Specifically, malformed or malicious HTTP/2 requests can trigger a buffer overflow, allowing an attacker to take control of the server. This kind of flaw is especially dangerous because it requires no authentication and can be triggered remotely.

Successful exploitation can give attackers full control over the affected server – including the ability to install malware, exfiltrate data, or pivot to other systems within the network.

Which versions are affected?

According to the Apache Software Foundation, the following versions of Tomcat are vulnerable:

• Apache Tomcat 11.0.0-M1

• Apache Tomcat 10.1.0-M1

• Apache Tomcat 9.0.0-M1

The vulnerability has been fixed in the following versions:

• 11.0.3

• 10.1.35

• 9.0.99

If your organisation is using any of the affected versions, updating to the latest release should be your top priority.

Exploits already detected

This is not a theoretical vulnerability. Cybersecurity researchers have confirmed that CVE-2025-24813 is being actively exploited in the wild, which significantly raises the stakes for unpatched systems.

Threat actors are known to act quickly once a critical flaw like this is disclosed – often scanning the internet for vulnerable instances within hours. In some cases, opportunistic attacks are automated, making exposure a matter of when, not if.

What should you do now?

To protect your organisation, take the following steps as soon as possible:

1. Identify all Tomcat instances running in your infrastructure.

2. Check the version number: if it falls within the affected ranges, upgrade immediately to a patched release.

3. If an upgrade is not immediately possible, consider disabling HTTP/2 support as a temporary workaround.

4. Monitor logs for unusual HTTP/2 traffic or unexpected behaviour.

5. Ensure your patch management and vulnerability scanning processes are functioning efficiently and consistently.

Why this matters

Remote code execution vulnerabilities are among the most severe in cybersecurity. They effectively bypass most security controls and give attackers direct access to critical systems. Combined with widespread use and active exploitation, this flaw poses a serious risk to unpatched environments.

This incident highlights the importance of timely patching and good visibility over your software stack. Even trusted, long-established tools like Tomcat can become attack vectors if left unpatched.

And this flaw is far from an isolated case. In recent months, we've seen similar high-risk vulnerabilities surface across widely used technologies – read our article about critical OpenSSH flaws and privacy risks in popular Android apps. These examples serve as a reminder that staying ahead of threats requires constant vigilance and a proactive security strategy.

Final thoughts

At Moxso, we believe that awareness is the first line of defence. If your organisation uses Apache Tomcat, treat this vulnerability as a high-priority issue. Update your systems, review your infrastructure, and ensure your team is prepared to respond to active threats.

Cybersecurity doesn’t have to be complicated – but it does have to be proactive. One of the most effective ways to stay ahead of threats is by building a strong security culture. With Moxso’s cybersecurity training, your employees can learn to recognise risks and respond appropriately – turning your team into a human firewall.