A newly discovered Apache Tomcat vulnerability (CVE-2025-4577) is actively being exploited in the wild, enabling attackers to take over servers with a simple PUT request.
Severity level
CVSS Score: 8.6/High
Description:
Under certain conditions and configurations, this vulnerability could allow a malicious actor to view or inject arbitrary content to security-sensitive files or achieve remote code execution. The exploit does not require authentication and is caused by Tomcat accepting partial PUT requests and its default session persistence.
Affected Versions:
Apache Tomcat versions earlier 11.0.0-M1 to 11.0.2
Apache Tomcat versions earlier 10.1.0-M1 to 10.1.34
Apache Tomcat versions earlier 9.0.0-M1 to 9.0.98
Impact:
Successfully exploitation could permit a malicious user to view security sensitive files or inject arbitrary content.
