NCERT Warns Against Apache Tomcat Flaw Which Lets Hackers Take Over Servers

The National Computer Emergency Response Team (NCERT) has issued an advisory regarding a critical security vulnerability in Apache Tomcat, tracked as CVE-2025-24813.

This vulnerability enables remote attackers to execute arbitrary code on affected systems by exploiting the improper handling of HTTP/2 requests. Cybercriminals have been actively attempting to exploit this flaw, putting organizations that rely on Apache Tomcat for web applications and services at significant risk. Immediate mitigation measures are necessary to prevent unauthorized access and system compromise.

According to the NCERT, exploitation of CVE-2025-24813 can lead to remote code execution (RCE), allowing attackers to gain full control over vulnerable servers. Additionally, attackers can bypass authentication, gain unauthorized access to sensitive resources, and manipulate system configurations.

The vulnerability is also being leveraged to deploy malware, including backdoors and malicious payloads, while some threat actors have used it to launch denial-of-service (DoS) attacks by overloading server resources.

Security researchers have confirmed that the flaw originates from the inadequate validation of HTTP/2 requests in Apache Tomcat, enabling attackers to inject specially crafted payloads. A publicly available proof-of-concept (PoC) exploit has demonstrated that attackers can trigger remote code execution by sending malicious HTTP/2 requests. The exploit requires no special privileges and can be executed remotely over the internet. Reports indicate that the attack code is already circulating among threat actors, increasing the urgency for organizations to secure their systems.

According to the advisory, immediate mitigation measures must be implemented to reduce the risk of exploitation. Organizations are advised to disable HTTP/2 support in the Tomcat server by removing or commenting out the UpgradeProtocol from the configuration file. Restricting external access to Tomcat instances using firewall rules and allowing only trusted IP ranges can also help prevent unauthorized access. Additionally, system logs should be closely monitored for any unusual activity, such as serialized object data or suspicious HTTP/2 requests.

NCERT further recommends that affected organizations upgrade to the latest patched versions of Apache Tomcat to eliminate the vulnerability. The patched versions include Tomcat 10.1.7 or later, Tomcat 9.0.84 or later, and Tomcat 8.5.93 or later. Security experts emphasize the importance of downloading updates only from official Apache Tomcat sources. In addition to patching, organizations should harden security configurations by disabling unnecessary services, enforcing strict access controls, and implementing network security monitoring to detect potential attacks.

To enhance cybersecurity resilience, organizations must also focus on incident response and recovery strategies. This includes conducting forensic analysis on potentially compromised servers, restoring systems from clean backups, and enhancing security monitoring to detect ongoing threats.

NCERT urges all organizations using Apache Tomcat to take immediate remediation actions, emphasizing that prompt patching, strong access controls, and continuous monitoring are essential to preventing exploitation and safeguarding critical web applications.

Follow ProPakistani on Google News & scroll through your favourite content faster!