TencentOS Server 3: tomcat (TSSA-2025:0225)

🗓️ 20 Nov 2025 00:00:00Reported by TenableType

TencentOS Server 3 is affected by CVE-2025-24813; upgrade Tomcat to 11.0.3, 10.1.35, or 9.0.98.

Reporter	Title	Published	Views	Family All 321
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	3 Jul 202500:31	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202507:36	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	14 Mar 202503:11	–	githubexploit
GithubExploit	Exploit for CVE-2025-55752	29 Oct 202508:27	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	11 May 202519:50	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	22 Mar 202515:16	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	12 Jul 202502:40	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	27 Apr 202513:50	–	githubexploit
GithubExploit	Exploit for CVE-2025-2783	26 May 202512:51	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Tomcat	10 Dec 202509:53	–	githubexploit

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20250225.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2025:0225.
##

include('compat.inc');

if (description)
{
  script_id(276259);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/11");

  script_cve_id("CVE-2025-24813");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/04/22");
  script_xref(name:"IAVA", value:"2025-A-0156-S");

  script_name(english:"TencentOS Server 3: tomcat (TSSA-2025:0225)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by a vulnerability as referenced in the TSSA-2025:0225 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2025-24813:
    Path Equivalence: 'file.Name' (Internal Dot) leading toRemote Code Execution and/or Information
    disclosureand/or malicious content added to uploaded files via write enabledDefault Servletin Apache
    Tomcat.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from
    9.0.0.M1 through 9.0.98.

    If all of the following were true, a malicious user was able to view       security sensitive files and/or
    inject content into those files:
    -writes enabled for the default servlet (disabled by default)
    - support for partial PUT (enabled by default)
    - a target URL for security sensitive uploads that was a sub-directory ofa target URL for public uploads
    -attacker knowledge of the names of security sensitive files beinguploaded
    -the security sensitive files also being uploaded via partial PUT

    If all of the following were true, a malicious user was able to       perform remote code execution:
    - writes enabled for the default servlet (disabled by default)
    -support for partial PUT (enabled by default)
    -application was using Tomcat's file based session persistence with thedefault storage location
    -application included a library that may be leveraged in adeserialization attack

    Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20250225.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:A");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-24813");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Tomcat Partial PUT Java Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/03/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/11/20");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:tomcat");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'tomcat-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-admin-webapps-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-docs-webapp-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-el-3.0-api-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-jsp-2.3-api-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-lib-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-servlet-4.0-api-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
      {'reference':'tomcat-webapps-9.0.87-1.tl3.3', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc');
}

11 Mar 2026 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.19.8 - 10

EPSS0.9413

SSVC