EUVD-2025-6498

Description

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

CVE-2025-24813

EPSS Score:

87%

Comprehensive Technical Analysis of EUVD-2025-6498

1. Vulnerability Assessment and Severity Evaluation

The vulnerability described in EUVD-2025-6498 affects Apache Tomcat and is identified by CVE-2025-24813. This issue involves a path equivalence problem where the 'file.Name' (Internal Dot) can lead to Remote Code Execution (RCE), Information Disclosure, and the injection of malicious content into uploaded files via the write-enabled Default Servlet.

Severity Evaluation:

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The high CVSS score indicates a critical vulnerability due to its potential for remote exploitation without user interaction, leading to high impact on confidentiality, integrity, and availability.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Information Disclosure and Content Injection:
- Conditions:
  - Writes enabled for the default servlet.
  - Support for partial PUT enabled.
  - Target URL for security-sensitive uploads is a sub-directory of a target URL for public uploads.
  - Attacker knowledge of the names of security-sensitive files.
  - Security-sensitive files uploaded via partial PUT.
- Exploitation: An attacker can view or inject content into security-sensitive files by exploiting the path equivalence issue.
Remote Code Execution:
- Conditions:
  - Writes enabled for the default servlet.
  - Support for partial PUT enabled.
  - Application using Tomcat's file-based session persistence with the default storage location.
  - Application includes a library vulnerable to deserialization attacks.
- Exploitation: An attacker can execute arbitrary code by leveraging the deserialization vulnerability in conjunction with the path equivalence issue.

Exploitation Methods:

Path Equivalence: Manipulating file paths to bypass security checks.
Deserialization Attack: Exploiting vulnerable libraries to execute malicious code.

3. Affected Systems and Software Versions

Affected Versions:

Apache Tomcat 11.0.0-M1 through 11.0.2
Apache Tomcat 10.1.0-M1 through 10.1.34
Apache Tomcat 9.0.0.M1 through 9.0.98

Recommended Upgrades:

Upgrade to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99 to mitigate the issue.

4. Recommended Mitigation Strategies

Immediate Mitigation:
- Disable writes for the default servlet.
- Disable support for partial PUT if not required.
- Ensure that security-sensitive uploads are not sub-directories of public uploads.
- Use a non-default storage location for file-based session persistence.
Long-Term Mitigation:
- Upgrade to the patched versions of Apache Tomcat (11.0.3, 10.1.35, or 9.0.99).
- Regularly update and patch all software components.
- Implement strict input validation and sanitization.
- Use security tools to monitor and detect suspicious activities.

5. Impact on European Cybersecurity Landscape

The vulnerability poses a significant risk to organizations using Apache Tomcat within the European Union. Given the widespread use of Apache Tomcat in web applications, the potential for large-scale exploitation is high. This could lead to data breaches, unauthorized access, and service disruptions, impacting both public and private sectors.

6. Technical Details for Security Professionals

Technical Analysis:

Path Equivalence Issue: The vulnerability arises from the way Apache Tomcat handles file paths, allowing an attacker to manipulate the 'file.Name' to access or modify files outside the intended directory.
Deserialization Vulnerability: The exploitation of deserialization attacks relies on the presence of vulnerable libraries within the application. Attackers can craft malicious payloads that, when deserialized, execute arbitrary code.

Detection and Monitoring:

Log Analysis: Monitor logs for unusual file access patterns and PUT requests.
Intrusion Detection Systems (IDS): Deploy IDS to detect and alert on suspicious activities related to file uploads and deserialization attempts.
Code Review: Conduct thorough code reviews to identify and mitigate deserialization vulnerabilities.

References:

By addressing this vulnerability promptly and comprehensively, organizations can significantly reduce the risk of exploitation and protect their systems and data.

Description

CVE-2025-24813

EPSS Score:

87%

Comprehensive Technical Analysis of EUVD-2025-6498

1. Vulnerability Assessment and Severity Evaluation

Severity Evaluation:

CVSS Base Score: 9.8
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The high CVSS score indicates a critical vulnerability due to its potential for remote exploitation without user interaction, leading to high impact on confidentiality, integrity, and availability.

2. Potential Attack Vectors and Exploitation Methods

Attack Vectors:

Information Disclosure and Content Injection:
- Conditions:
  - Writes enabled for the default servlet.
  - Support for partial PUT enabled.
  - Target URL for security-sensitive uploads is a sub-directory of a target URL for public uploads.
  - Attacker knowledge of the names of security-sensitive files.
  - Security-sensitive files uploaded via partial PUT.
- Exploitation: An attacker can view or inject content into security-sensitive files by exploiting the path equivalence issue.
Remote Code Execution:
- Conditions:
  - Writes enabled for the default servlet.
  - Support for partial PUT enabled.
  - Application using Tomcat's file-based session persistence with the default storage location.
  - Application includes a library vulnerable to deserialization attacks.
- Exploitation: An attacker can execute arbitrary code by leveraging the deserialization vulnerability in conjunction with the path equivalence issue.

Exploitation Methods:

Path Equivalence: Manipulating file paths to bypass security checks.
Deserialization Attack: Exploiting vulnerable libraries to execute malicious code.

3. Affected Systems and Software Versions

Affected Versions:

Apache Tomcat 11.0.0-M1 through 11.0.2
Apache Tomcat 10.1.0-M1 through 10.1.34
Apache Tomcat 9.0.0.M1 through 9.0.98

Recommended Upgrades:

Upgrade to Apache Tomcat 11.0.3, 10.1.35, or 9.0.99 to mitigate the issue.

4. Recommended Mitigation Strategies

Immediate Mitigation:
- Disable writes for the default servlet.
- Disable support for partial PUT if not required.
- Ensure that security-sensitive uploads are not sub-directories of public uploads.
- Use a non-default storage location for file-based session persistence.
Long-Term Mitigation:
- Upgrade to the patched versions of Apache Tomcat (11.0.3, 10.1.35, or 9.0.99).
- Regularly update and patch all software components.
- Implement strict input validation and sanitization.
- Use security tools to monitor and detect suspicious activities.

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

Technical Analysis:

Path Equivalence Issue: The vulnerability arises from the way Apache Tomcat handles file paths, allowing an attacker to manipulate the 'file.Name' to access or modify files outside the intended directory.
Deserialization Vulnerability: The exploitation of deserialization attacks relies on the presence of vulnerable libraries within the application. Attackers can craft malicious payloads that, when deserialized, execute arbitrary code.

Detection and Monitoring:

Log Analysis: Monitor logs for unusual file access patterns and PUT requests.
Intrusion Detection Systems (IDS): Deploy IDS to detect and alert on suspicious activities related to file uploads and deserialization attempts.
Code Review: Conduct thorough code reviews to identify and mitigate deserialization vulnerabilities.

References:

By addressing this vulnerability promptly and comprehensively, organizations can significantly reduce the risk of exploitation and protect their systems and data.

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2025-6498

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

References

Affected Products

Vendors

EUVD-2025-6498

Description

EPSS Score:

Comprehensive Technical Analysis of EUVD-2025-6498

1. Vulnerability Assessment and Severity Evaluation

2. Potential Attack Vectors and Exploitation Methods

3. Affected Systems and Software Versions

4. Recommended Mitigation Strategies

5. Impact on European Cybersecurity Landscape

6. Technical Details for Security Professionals

References

Affected Products

Vendors