The National Computer Emergency Response Team (NCERT) has issued an urgent security advisory warning organizations about a critical vulnerability in Apache Tomcat servers that could potentially allow cybercriminals to gain complete control of affected systems. The flaw, identified as CVE-2025-24813, has been classified as a high-severity remote code execution (RCE) vulnerability and poses a significant threat to organizations utilizing Apache Tomcat to host their web applications and services.
According to the NCERT advisory issued in March 2025, the vulnerability stems from improper handling of HTTP/2 requests by the Apache Tomcat server. This flaw can be exploited by remote attackers to execute arbitrary code without needing elevated privileges. Cybersecurity researchers have confirmed that attackers can craft malicious HTTP/2 requests which, when processed by a vulnerable Tomcat server, could enable them to execute unauthorized commands, gain access to sensitive data, and manipulate critical system configurations.
The threat landscape surrounding this vulnerability has become more serious as security analysts have reported that malicious actors are already exploiting CVE-2025-24813 in the wild. The availability of a public proof-of-concept (PoC) exploit has accelerated the risk, making it easier for attackers to launch attacks remotely without requiring any prior authentication or special permissions. In several cases, this vulnerability has been used not only to gain unauthorized access but also to deploy backdoors, malware, and malicious payloads on compromised systems. Threat actors have further used this flaw to conduct denial-of-service (DoS) attacks by overloading server resources, leading to service outages.
The NCERT advisory emphasizes that organizations running vulnerable versions of Apache Tomcat are at immediate risk and must act without delay. Specifically, it is recommended that affected organizations disable HTTP/2 support in their Tomcat server configurations to reduce the attack surface. This can be achieved by removing or commenting out the UpgradeProtocol directive in the server’s configuration files. Additionally, NCERT advises organizations to strengthen firewall rules and limit external access to Tomcat servers, allowing only trusted IP addresses to connect.
Furthermore, system administrators are urged to monitor server logs for any indicators of compromise, including unusual serialized object data or suspicious HTTP/2 request patterns that may indicate malicious activity. Proactive monitoring can help detect and mitigate attacks at an early stage.
To fully eliminate the vulnerability, NCERT recommends upgrading Apache Tomcat to the latest patched versions released by the official Apache Software Foundation. These include Tomcat 10.1.7 or later, Tomcat 9.0.84 or later, and Tomcat 8.5.93 or later. The advisory stresses the importance of downloading security patches only from official Tomcat sources to avoid supply chain risks.
In addition to applying patches and hardening server configurations, NCERT encourages organizations to implement a comprehensive incident response strategy. This includes conducting forensic analysis of potentially compromised systems, restoring from verified clean backups, and enhancing security monitoring frameworks to detect any further intrusion attempts.
NCERT’s advisory serves as a timely reminder of the critical importance of timely vulnerability management, strong access controls, and continuous monitoring in safeguarding digital infrastructure. Organizations using Apache Tomcat are strongly urged to take immediate steps to secure their systems and prevent possible exploitation of this serious vulnerability.
