CRITICAL: Apache Tomcat RCE Vulnerability Actively Exploited — Patch Within Hours, Not Days

If you needed a reminder that attackers move faster than ever, Apache Tomcat just provided one. A critical remote code execution vulnerability disclosed on March 10th was being actively exploited in the wild within 30 hours. By the time most organizations finished their morning coffee on March 12th, threat actors had already weaponized CVE-2026-42071 and begun deploying web shells on vulnerable servers worldwide.

The vulnerability carries a CVSS score of 9.8, which is about as bad as it gets. An unauthenticated attacker can upload malicious JSP files and achieve complete server compromise through a flaw in how Tomcat handles partial PUT requests. No credentials required. No user interaction needed. Just a carefully crafted HTTP request aimed at your server, and suddenly someone else is running code with the privileges of your Tomcat process.

The technical details reveal an elegant exploitation chain. When a PUT request is interrupted or sent incompletely, Tomcat stores the partial content in a temporary file but fails to properly clean up or validate subsequent requests targeting that content. An attacker exploits this by sending a partial PUT request to create a session-associated temporary file, then follows up with a second request that tricks Tomcat into writing malicious content with a .jsp extension. Once that JSP file exists in the webroot, accessing it via HTTP triggers server-side execution. Game over.

The attack surface here is genuinely massive. Apache Tomcat powers an estimated 30 percent of Java-based web applications globally. We are talking about enterprise portals, backend APIs, internal tools, and countless production systems that organizations depend on every day. Shodan queries show over 400,000 Tomcat instances directly exposed to the internet, each one a potential target for attackers who now have a working exploit and the motivation to use it.

CISA wasted no time adding CVE-2026-42071 to its Known Exploited Vulnerabilities catalog on March 15th, which is government-speak for confirmed active exploitation requiring immediate action. Federal agencies have until the end of the month to patch, but private organizations should not take that as permission to wait. When proof-of-concept code hits GitHub within 24 hours of disclosure and mass exploitation begins within 72 hours, traditional patching timelines become a liability.

Security researchers tracking the campaign have identified multiple IP addresses actively scanning for vulnerable Tomcat installations. The attackers are moving quickly and efficiently, deploying web shells with generic names like cmd.jsp, shell.jsp, and config.jsp within minutes of successful exploitation. The observed attack pattern is consistent across incidents, suggesting either a single well-organized threat actor or multiple groups working from the same publicly available exploit code.

The affected versions span three major Tomcat branches. Organizations running Tomcat 11.0.0 through 11.0.4 need to upgrade to 11.0.5. Those on Tomcat 10.1.0 through 10.1.38 should move to 10.1.39. And anyone still running Tomcat 9.0.0 through 9.0.101 needs version 9.0.102. The patches are available, tested, and ready to deploy. The only question is whether your organization will apply them before or after someone else finds your vulnerable servers.

The vulnerability is exploitable when the DefaultServlet is enabled, which happens to be the default configuration on most Tomcat installations. It also requires write permissions to be enabled via the readonly parameter set to false in web.xml, or for the default PUT method handling to remain enabled. Many production deployments check one or both of these boxes without administrators realizing the security implications.

For organizations that cannot patch immediately, there are workarounds, though none are as reliable as applying the actual fix. Disabling PUT method handling entirely at the Connector level eliminates the attack vector but will break any applications that legitimately rely on PUT requests. Adding readonly equals true to the DefaultServlet configuration in web.xml provides some protection. Implementing WAF rules to block partial PUT requests to JSP-capable directories can help, though sophisticated attackers may find ways to evade signature-based detection.

The speed of weaponization here deserves attention. From initial disclosure to mass exploitation in less than three days is fast even by modern standards. It suggests that attackers are closely monitoring security advisories and patch releases, reverse-engineering fixes to understand the underlying vulnerabilities, and developing exploits with unprecedented efficiency. The days when organizations had weeks or months to respond to critical vulnerability disclosures are definitively over.

If you manage Tomcat infrastructure, the action items are clear. Patch to the fixed versions immediately. If patching requires a maintenance window, implement the workarounds in the meantime. Hunt through your webroots for unexpected JSP files created after March 10th. Monitor your logs for PUT requests to unusual paths, especially those returning 201 status codes indicating successful resource creation. And assume that any internet-exposed Tomcat server running a vulnerable version has already been probed, if not actively compromised.

Apache Tomcat has been a reliable workhorse for Java web applications for over two decades. That reliability has bred a certain complacency in how organizations approach its security. CVE-2026-42071 is a harsh reminder that even mature, well-understood software can harbor critical vulnerabilities, and that the window between disclosure and exploitation has shrunk to the point where patching is no longer something you schedule for next week. It is something you do today, preferably before lunch.