API security
API economy
cloud security
Cyber landscape
Cybersecurity
WAF
March 20, 2025

Tomcat RCE Vulnerability Now Exploited in the Wild

Attackers are now exploiting a Remote Code Execution vulnerability in Apache Tomcat servers. It only takes a single API PUT and GET request combination to trigger a two-part attack that will upload and execute a malicious file…

Tomcat RCE Vulnerability Now Exploited in the Wild

API attacks are reaching levels never seen before in 2025. And as development rushes on, security teams are still struggling to keep up across all industries. The case we’re talking about today is a classic example of a vulnerability that was recognized, reported, but not resolved before attackers began to exploit it.

Apache Tomcat is a free, open-source Java web application server. The vulnerability in question was originally disclosed to the public on a Chinese forum by a user called iSee857. Contributors to the Apache open source project were presumably trying to resolve the issue, but it was already too late. Thirty hours after the post was made, attackers began to exploit the vulnerability in the wild, proving once again that bad actors are always waiting in the shadows to swoop in on any opportunity to strike.

The Vulnerability

The exploit works in two steps.

  1. The attacker uploads a serialized Java session file via PUT request
  2. The attacker triggers deserialization by referencing the malicious session ID in a GET request

The genius part of this attack is that it does not require any authentication to execute. The PUT request seems normal enough, and it seems that the API endpoint in question does not require further authentication checks by design. By the time the organization catches sight of any abnormalities, the malicious payload is already uploaded and deployed.

Every day, new vulnerabilities, attacks and breaches are popping up across platforms and industries. API security is more important now than ever as applications continue to rely on APIs to connect to one another. And as organizations continue to plow ahead without focusing on full, centralized API security, their applications, whether homegrown or relying on off-the-shelf third-party packages, are left vulnerable to attack, as in this case of Apache Tomcat.

FireTail is an end-to-end API and AI security platform for all your cybersecurity needs, starting with clear, centralized visibility at the application layer. To see how it works or try it out yourself, schedule a demo or go to our page for a free trial.

Lina Romero

Related posts

The New CIS API Security Guide
April 11, 2025

The New CIS API Security Guide

It’s here! The New CIS Guide for API Security provides teams with actionable steps for their own API security postures. API use is skyrocketing with the recent adoption of AI, and security teams are struggling to keep up with the rising threats. That’s where the CIS Guide comes in.

Read more
API Spec Generation: Ensuring Consistency and Security
April 9, 2025

API Spec Generation: Ensuring Consistency and Security

API security is a critical issue, especially with the rise of AI, which runs on APIs. So how do we ensure consistent API security in an age of growing threats? In this blog, we’ll go over one of the most critical enabling aspects of API security: API specifications.

Read more
Enhanced AI Security Capabilities from FireTail
April 8, 2025

Enhanced AI Security Capabilities from FireTail

FireTail’s latest platform update gives customers expanded AI security features and discovery capabilities to better find, document and protect AI initiatives across your organization. Here, we look at what the update covers and the benefits these new features deliver for FireTail customers.

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!