Blog > Critical Vulnerabilities

Critical security vulnerability in Apache Tomcat (CVE-2025-24813 score of 9.8/10)

A critical security vulnerability CVE-2025-24813 (score of 9.8) has been discovered in Apache Tomcat.

This RCE (Remote Code Execution) type vulnerability presents the risk that a malicious actor could execute arbitrary code remotely on a machine, without requiring any authentication. In other words, the attack can be successful even if you use a very complex password with MFA to access the server with the RCE vulnerability.

 

Vulnerable Apache Tomcat versions

The following versions of Apache Tomcat are affected:

  • Apache Tomcat 11.0.0-M1 to 11.0.2
  • Apache Tomcat 10.1.0-M1 to 10.1.34
  • Apache Tomcat 9.0.0.M1 to 9.0.98

 

Considerations on vulnerabilities with a score of 9.8

The vulnerability score is very high (9.8 on a scale of 10), which means that:

  • The vulnerability can be easily exploited remotely.
  • No authentication is required to exploit the vulnerability.
  • The attacker does not need to know the password of the attacked server
  • The vulnerability can be exploited easily.
  • The impacts can be major on the target attacked

 

Proofs of concepts (POC) are currently available

  • Proofs of concepts /POC (computer programs showing how the vulnerability can be exploited) are currently available and accessible on the Internet. Anyone can download them.
  • The existence of POC greatly increases the risk of exploiting a vulnerability.

 

Recommendations

You must update your Apache Tomcat systems as follows:

  • Apache Tomcat 11.0.0-M1 to 11.0.2: migrate to version 11.0.3 or more recent.
  • Apache Tomcat 10.1.0-M1 to 10.1.34: migrate to version 10.1.35 or more recent.
  • Apache Tomcat 9.0.0.M1 to 9.0.98: migrate to version 9.0.99 or more recent.

Additional recommendations (if you are unable to obtain the full list of your Apache Tomcat servers):

  • Perform a vulnerability scan of your web servers (internal and external) to ensure that they are not vulnerable.
  • Start by scanning your web servers exposed on the Internet. These servers will be attacked first.
  • After that, scan your web servers that are only accessible internally.

 

How does Streamscan protect you?

If you are a Streamscan partner:

  • We have set up a crisis unit to monitor the evolution of this critical vulnerability. We will apply the appropriate response measures.
  • Our DRG/MDR security monitoring team remains vigilant in monitoring your network.

Need help improving your cybersecurity? Talk to one of our experts or call us at +1 877 208-9040.