## https://sploitus.com/exploit?id=189C62F7-F9C6-5B1E-848C-217627562AAB
# CVE-2025-24813 - Apache Tomcat Remote Code Execution Exploit
This is a proof-of-concept (PoC) exploit for **CVE-2025-24813**, a vulnerability in Apache Tomcat (9.0.80โ9.0.83, 10.1.0โ10.1.17) that allows remote code execution (RCE) via session deserialization.
The exploit abuses partial PUT requests and the PersistentManager session storage mechanism to achieve code execution.
## Description
Apache Tomcat incorrectly handles incomplete file uploads.
An attacker can upload a crafted serialized Java object as a `.session` file into the `work/` directory by sending a partial PUT request with a `Content-Range` header.
Once uploaded, the malicious session is automatically deserialized by Tomcat when a request with a matching `JSESSIONID` cookie is received, leading to arbitrary code execution.
## Requirements
- Apache Tomcat 9.0.80โ9.0.83 or 10.1.0โ10.1.17
- DefaultServlet `readonly=false`
- PersistentManager and FileStore configured
- ysoserial or similar tool to generate payloads
## Usage
```bash
python3 exploit_cve202524813.py <target_url> <payload_file> <session_id> <trigger_path>