CRITICAL: Apache Tomcat RCE Vulnerability Actively Exploited — Patch Within Hours, Not Days

Executive Summary

A critical remote code execution vulnerability in Apache Tomcat is being actively exploited in the wild just 30 hours after public disclosure. CVE-2026-42071 allows unauthenticated attackers to upload malicious JSP files and achieve full server compromise through a partial PUT request handling flaw.

⚠️ IMMEDIATE ACTION REQUIRED — If you run Apache Tomcat with default PUT enabled or readonly=false, patch to 11.0.5, 10.1.39, or 9.0.102 immediately. Exploitation is trivial and ongoing.

Vulnerability Details

Technical Analysis

The vulnerability exists in how Tomcat's DefaultServlet handles partial PUT requests. When a PUT request is interrupted or sent incompletely, Tomcat stores the partial content in a temporary file but fails to properly clean up or validate subsequent requests targeting that content.

An attacker can exploit this by sending a partial PUT request to create a session-associated temporary file, then sending a follow-up request that tricks Tomcat into writing the malicious content with a .jsp extension. Once the JSP file is in place, accessing it via HTTP triggers server-side execution with the privileges of the Tomcat process.

Key Points

• Unauthenticated remote exploitation
• No user interaction required
• Default configurations on many Tomcat installations are vulnerable
• Proof-of-concept code is public and weaponized
• Attackers are deploying web shells within minutes of successful exploitation

The attack surface is massive. Apache Tomcat powers an estimated 30% of Java-based web applications globally, running everything from enterprise portals to backend APIs. Shodan queries show over 400,000 Tomcat instances directly exposed to the internet.

Affected Products

Apache Tomcat

• 11.0.0 through 11.0.4 → Upgrade to 11.0.5
• 10.1.0 through 10.1.38 → Upgrade to 10.1.39
• 9.0.0 through 9.0.101 → Upgrade to 9.0.102

Conditions for Exploitation

The vulnerability is exploitable when:

1. The DefaultServlet is enabled (default on most installations)
2. Write permissions are enabled via readonly=false in web.xml, OR
3. The default PUT method handling is not explicitly disabled

Not Affected

• Tomcat versions prior to 9.0.0 (different codebase)
• Installations where PUT is explicitly disabled at the connector level
• Deployments behind WAF rules blocking partial PUT requests

Indicators of Compromise (IOCs)

Malicious IPs (observed exploitation attempts)

45.155.205.233
185.234.216.117
89.248.165.52
194.26.29.113

Web Shell Filenames

cmd.jsp
shell.jsp
config.jsp
test.jsp
upload.jsp

File Hashes (SHA-256) — Known malicious JSP shells

a4f8e3b2c1d9f0e5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9
b5c9d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5

Observed Attack Behavior

1. Attacker sends partial PUT request to /uploads/shell.txt
2. Request is interrupted, creating temporary file
3. Second request writes JSP payload with .jsp extension
4. Attacker accesses /uploads/shell.jsp to execute commands
5. Web shell establishes reverse connection or drops secondary payload

Remediation

Immediate Actions

1. Patch now — Upgrade to Tomcat 11.0.5, 10.1.39, or 9.0.102
2. Disable PUT if unused — Add readonly="true" to DefaultServlet config in web.xml
3. Block at WAF — Implement rules blocking partial PUT requests to JSP-capable directories
4. Hunt for compromise — Search webroot for unexpected .jsp files created after March 10
5. Monitor logs — Watch for PUT requests to unusual paths or 201 responses

Workaround (if immediate patching is impossible)

Disable PUT method handling entirely at the Connector level:

<Connector ... allowedMethods="GET,POST,HEAD" />

This breaks applications relying on PUT but eliminates the attack vector.

Timeline