module
Tomcat Partial PUT Java Deserialization
| Disclosed | Created |
|---|---|
| 2025-03-10 | 2025-04-03 |
Disclosed
2025-03-10
Created
2025-04-03
Description
This module exploits a Java deserialization vulnerability in Apache
Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to
place an attacker controlled deserialization payload in the /webapps/ROOT/ directory.
For the exploit to succeed, writes must be enabled for the default servlet,
and org.apache.catalina.session.PersistentManager must be configured to use
org.apache.catalina.session.FileStore.
Verified working on 10.1.16-1
Tomcat's session restoration functionality that can be exploited with a partial HTTP PUT request to
place an attacker controlled deserialization payload in the /webapps/ROOT/ directory.
For the exploit to succeed, writes must be enabled for the default servlet,
and org.apache.catalina.session.PersistentManager must be configured to use
org.apache.catalina.session.FileStore.
Verified working on 10.1.16-1
Authors
sw0rd1ight
Calum Hutton
h4ck3r-04
Calum Hutton
h4ck3r-04
Platform
Linux,Unix,Windows
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.