Category

WAF evaluation

Category
WallarmWAF evaluation
In API Security

One PUT Request to Own Tomcat: CVE-2025-24813 RCE is in the Wild

2 Mins Read

A devastating new remote code execution (RCE) vulnerability, CVE-2025-24813, is now actively exploited in the wild. Attackers need just one PUT API request to take over vulnerable Apache Tomcat servers. The exploit, originally published by a Chinese forum user iSee857, is already available online: CVE-2025-24813 PoC by iSee857.

Exploit Breakdown: How a Simple PUT Request Leads to Full RCE

This attack leverages Tomcat’s default session persistence mechanism along with its support for partial PUT requests. The exploit works in two steps:

Read More
In DevOps

Test and evaluate your WAF and API before hackers

7 Mins Read

Since 1991, Web Application Firewall, commonly referred to as WAF, has become one of the most common application security technologies available on the market. Since the last century, WAFs have evolved by incorporating the cloud and using Machine Learning instead of RegExp. Currently, few technologies, such as NG-WAF, RASP, WAAP, and a few others, have internal WAF capabilities, which prevent web applications and API threats. Majority of the fintech, health tech, and e-commerce companies have…

Read More
In API Security

New text2shell RCE vulnerability in Apache Common Texts CVE-2022-42889

1 Min Read

Yet another RCE with a CVSS score of 9.8 out of 10 was disclosed a few hours ago. This issue looks like the same Log4shell and it seems even more dangerous since Common Texts are used more broadly. The Apache Foundation published a vulnerability in the Apache Commons Text project code and published a message to this effect in the project’s mailing list on October 13th, an official date of birth of Text4Shell vulnerability. This…

Read More
grammarly
In Researcher Corner

Grammarly fixed XSS vulnerability that bypasses AWS WAF

2 Mins Read

Grammarly is the unicorn company that announced its open bug bounty program last September. Since that time, many security researchers posted their submissions and got paid well. Some of Grammarly’s issues are also useful for others. Like the recent XSS, that also bypasses an AWS WAF. The recent XSS report is a bit different among others. First of all, it was submitted by Frans Rosen, one of the top HackerOne hackers. He is the 6th…

Read More