CVE-2025-24813 exploitation confirmed against Apache Tomcat 9.0.90 on Tomcat-Server02. The attacker uploaded a serialized Java payload via partial PUT request to the Tomcat default servlet (letsattack.session), then triggered deserialization by repeatedly issuing GET requests to /hello-servlet. After iterating through multiple payload refinements (evidenced by sustained 500 errors), RCE was achieved. The attacker leveraged code execution to dump /etc/passwd and /etc/shadow to web-accessible staging files, which were then retrieved over HTTP. Machine has been contained.
May 30, 2025 — 18:18:42 to 18:24:18 UTC
172.16.20.51)/opt/tomcat/apache-tomcat-9.0.90/webapps/ROOT//opt/tomcat/apache-tomcat-9.0.90/logs/3.15.143.228Tomcat’s default servlet was configured with partial PUT enabled, allowing unauthenticated upload of arbitrary content directly to the webroot. The attacker exploited Java deserialization to execute OS-level commands and specifically targeted Linux credential stores. The repeated PUT/GET cycling with persistent 500 errors indicates iterative payload refinement — deserialization was firing but the payload required adjustment before commands executed cleanly.
| Time (UTC) | Request | Status | Notes |
|---|---|---|---|
| 18:18:42 | GET /bg-button.png | 200 | Initial recon / fingerprinting |
| 18:19:29 | PUT /letsattack.session | 201 | First upload - file created in webroot |
| 18:19:31 | GET /hello-servlet | 500 | Deserialization triggered, payload errors |
| 18:19:47 | PUT /letsattack.session | 204 | Payload refined, re-uploaded |
| 18:19:57 | PUT /check.txt | 204 | Webroot write-access verification |
| 18:20:39 | GET /id.txt | 200 | RCE confirmed - id command output staged and retrieved |
| 18:21:49 | GET /passwd.txt | 200 | /etc/passwd exfiltrated |
| 18:23:25 | GET /shadow.txt | 404 | /etc/shadow attempt failed (file not yet staged) |
| 18:24:18 | GET /shadow.txt | 200 | /etc/shadow exfiltrated |
| Technique ID | Tactic | Technique |
|---|---|---|
| T1190 | Initial Access | Exploit Public-Facing Application |
| T1059 | Execution | Command and Scripting Interpreter |
| T1083 | Discovery | File and Directory Discovery |
| T1005 | Collection | Data from Local System |
| T1041 | Exfiltration | Exfiltration Over C2 Channel |
| Type | Value | Description |
|---|---|---|
| IP | 3.15.143.228 | Attacker source IP |
| File | letsattack.session | Malicious serialized Java payload |
| File | check.txt | Webroot write-access verification file |
| File | id.txt | Staged output of id command |
| File | passwd.txt | Staged copy of /etc/passwd |
| File | shadow.txt | Staged copy of /etc/shadow |
🔗 AbuseIPDB (3.15.143.228) → https://www.abuseipdb.com/check/3.15.143.228 🔗 Akamai — Apache Tomcat CVE-2025-24813 Research → https://www.akamai.com/blog/security-research/march-apache-tomcat-path-equivalence-traffic-detections-mitigations