TZUTC: -0500   
   MSGID: 511.consprcy@1:2320/105 2c3ec05f   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   A worrying critical security flaw in Apache Tomcat could let hackers take    
   over servers with ease   
      
   Date:   
   Tue, 18 Mar 2025 12:04:10 +0000   
      
   Description:   
   A "dead simple" attack allows threat actors to take over vulnerable Apache   
   Tomcat servers.   
      
   FULL STORY   
   ======================================================================   
    - Security  outfit Wallarm spotted a PoC in the wild   
    - The method abuses a deserialization flaw in Apache Tomcat   
    - It allows attackers to fully take over vulnerable endpoints   
      
   A deserialization vulnerability on Apache Tomcat servers is being abused in   
   the wild to completely take over affected endpoints , security researchers    
   are warning.    
      
   Wallarm has revealed it saw a Chinese forum user, alias iSee857, share a   
   proof-of-concept (PoC) for a flaw tracked as CVE-2025-24813, warning threat   
   actors only need one PUT API request to take over the vulnerable server. The   
   request is used to upload a malicious serialized Java session, which then   
   allows the attacker to trigger deserialization by referencing the malicious   
   session ID in a GET request.    
      
   Tomcat, seeing this session ID, retrieves the stored file, deserializes it,   
   and executes the embedded Java code, granting full remote access to the   
   attacker, Wallarm explained.   
      
   Dead simple    
      
   The researchers added that the attack is dead simple to execute, and requires   
   no authentication. The only requirement is that Tomcat is using file-based   
   session storage which, according to the researchers, is common in many   
   deployments. Furthermore, base64 encoding means the attack will bypass most   
   traditional security filters.    
      
   Most web application firewalls ( WAF ) completely miss this attack, Wallarm   
   further warned, since the PUT request looks normal, the payload is   
   base64-encoded, the attack is two-step, where the harmful only happens in the   
   second step, and since most WAFs dont deeply inspect uploaded files.    
      
   This means that by the time an organization detects the breach in its logs,   
   its already too late.    
      
   The worst part, Wallarm concluded, is that this is just the first wave, as it   
   expects threat actors to start uploading malicious JSP files, modifying   
   configurations, and planting backdoors outside session storage.    
      
   It was not yet assigned a severity score, and as per the NVD, it affects   
   Apache Tomcat from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34,   
   and from 9.0.0.M1 through 9.0.98.    
      
   Users are advised to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which    
   fixes the issue.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/a-worrying-critical-security-flaw-in-ap   
   ache-tomcat-could-let-hackers-take-over-servers-with-ease   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426