A newly revealed security vulnerability affecting Apache Tomcat has started to be actively exploited in real-world scenarios shortly after the availability of a public proof-of-concept (PoC), just 30 hours post-disclosure.
The security issue, identified as CVE-2025-24813, impacts the following versions –

Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0-M1 to 9.0.98

It pertains to a