Security Advisory: Potential Tomcat RCE Vulnerability (CVE-2025-24813)
Date: 18. 03. 2025
Severity: 6.3 (High)
Affected versions: All midPoint versions prior to 4.8.7, 4.9.2
Fixed in versions: 4.8.7, 4.9.2
Description
An attacker may exploit vulnerablity CVE-2025-24813 if writes for the default servlet are enabled (this is disabled by default in midPoint).
Attacker may inject content to files uploaded using Tomcat (midPoint uses Wicket upload instead of Tomcat) and may try deserialization attack using file based session persistance.
Severity and Impact
This is High Severity Issue.
The attacker may be able to create / modify Tomcat uploads on midPoint servers when custom Tomcat configuration is used.
Mitigation
Users of affected MidPoint versions are advised to upgrade their deployments to the latest maintenance releases.
If it is not possible, verify that your Tomcat configuration override does not enable writes for default server.
This is usually achieved by modifying application.yml.