FortiGuard Outbreak Alert: Apache Tomcat RCE

kcheung · ‎05-05-2025

Description

Apache TomCat is a popular open-source software to deploy and run Java web applications.

FortiGuard Labs have observed active exploration of CVE-2025-24813 in Apache TomCat.

CVE-2025-24813 is a remote code execution vulnerability in Apache TomCat which could allow attackers view sensitive information and write information to the system.

The following version of Tomcat are vulnerable to CVE-2025-24813:

Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98

CVE ID

CVE-2025-24813 (https://nvd.nist.gov/vuln/detail/CVE-2025-24813)

NDR Cloud Detection Rule

FortiNDR Cloud v25.2+

Detection Rule Name	Category	Primary MITRE ID
FortiGuard Outbreak Alert: Apache Tomcat Remote Code Execution - CVE-2025-24813	Attack: Exploitation	T1190 - Exploit Public-Facing Application

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Apache Tomcat RCE” related activities.

IOC source: https://www.fortiguard.com/outbreak-ioc?tag=apache%20tomcat%20rce

All IOCs listed above have been added to Threat Intelligence Intel.

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:
2060801 -> ET WEB_SPECIFIC_APPS Apache Tomcat Path Equivalence (CVE-2025-24813)

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to:

https://www.fortiguard.com/outbreak-alert/apache-tomcat-rce

FortiGuard Outbreak Alert: Apache Tomcat RCE

You are leaving our website