Overview

React2Shell (CVE‑2025‑55182) is a critical unauthenticated remote code execution vulnerability in React Server Components that has been added to CISA’s Known Exploited Vulnerabilities catalog. Threat actors abuse the Flight Path protocol and unsafe deserialization to drop web shells, establish reverse shells, and run arbitrary commands on vulnerable servers at scale. This report walks through the full kill chain and shows how Virsec VSP’s Default‑Deny Allow‑On‑Trust technology delivers true patchless mitigation, blocking the exploit before any attacker‑controlled code executes.

  • Publication date: December 16, 2025​
  • Vulnerability ID: CVE‑2025‑55182 (React2Shell)​​
  • Severity level: Critical
    • CVSS 10.0, unauthenticated RCE, listed in CISA KEV

1. Vulnerability background and scope

On 10 March 2025, the Apache Tomcat team published a security advisory for CVE‑2025‑24813, a remote code execution flaw affecting Tomcat servers deployed at well over 387,000 known instances worldwide. The issue spans multiple major branches: 11.0.0‑M1 through 11.0.2, 10.1.0‑M1 through 10.1.34, and 9.0.0‑M1 through 9.0.98.

In its guidance, Apache frames the risk as tied to a non‑default configuration: the exploit chain requires both a write‑enabled default servlet and file‑based session persistence in the default directory. On paper, this appears restrictive; in real production environments, however, development teams frequently enable the default servlet to accept file uploads and to serve static assets such as HTML directly from disk. In practice, that means the default servlet often has write access to the file system, turning what looks like an edge case into a realistic attack surface.

2. CISA classification and vendor guidance

CVE‑2025‑24813 was subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on 1 April 2025, signalling that attackers are actively abusing this Tomcat weakness rather than treating it as a theoretical bug. In the same notice, CISA pointed federal agencies back to Binding Operational Directive (BOD) 22‑01, which obligates them to remediate catalogued KEVs through patching within defined timelines.

To address the flaw, Apache recommends upgrading to fixed releases: Tomcat 11.0.3, 10.1.35, or 9.0.99. These versions correct the RCE condition that exists in earlier builds.

3. Timeline and potential window of exposure

The affected Tomcat branches have been available for years, which significantly stretches the possible exploitation window:

  • Tomcat 9.0.0‑M1 was introduced on 22 September 2017.
  • Tomcat 10.0.0‑M1 followed on 13 February 2020.
  • Tomcat 11.0.0‑M1 appeared on 1 December 2022.

Given that patches only arrived in March 2025, vulnerable code has likely been present in production stacks for a long period. It is therefore plausible that this issue has been silently exploited well before the public advisory and the release of fixed versions.

4. Tool Shell kill chain for CVE‑2025‑24813

The attack pattern often referred to as “Tool Shell” can be described as a multi‑step kill chain against Tomcat:

  1. Target validation (Steps 1–2): The adversary probes exposed Tomcat instances to confirm they are running affected versions and that the prerequisite configuration is in place.
  2. Session priming (Step 3): The attacker prepares a crafted session identifier file intended to be written to the server, effectively setting up a future rogue session.
  3. Abuse of the CVE (Steps 4–5): Using CVE‑2025‑24813, the threat actor forces Tomcat to store the malicious session file in the session persistence directory, giving them a foothold that appears legitimate.
  4. Rogue session activation (Step 6): A request is sent to Tomcat referencing the planted session ID together with a specially constructed serialized payload. Because the payload is embedded in a session context, it can evade many Web Application Firewalls.
  5. Execution of serialized code (Step 8): Tomcat loads and runs the serialized object, which is often implemented as a bind shell or similar remote access tool.
  6. Remote operations (Step 10): Once the bind shell is available, the attacker gains interactive control and can carry out arbitrary operations on the server, including data theft, lateral movement, or further destructive actions.

In demonstrations of this scenario, Virsec’s Protection Engines intercept the attack before the web shell can be installed or sensitive material such as machine keys can be accessed. Detection and prevention are handled by OTTOGUARD.AI using these engines, without relying on short‑lived Indicators of Compromise. Instead, the system applies a Default‑Deny‑Allow‑On‑Trust model that blocks code paths and payloads that have not been explicitly established as trusted, enabling patchless mitigation for this actively exploited Tomcat vulnerability.

5. Defining a true patchless mitigation solution

To qualify as genuine patchless mitigation rather than simple prioritization or best‑effort hardening, a solution must satisfy several criteria:

  • Equivalent to patch‑level protection: A software patch is meant to close the underlying flaw, resulting in zero dwell time for the exploit. Patchless mitigation should meet the same standard by preventing attackers from executing even a single instruction of their chosen payload.
  • Not constrained by “reachability” assumptions: Security cannot assume that certain parts of the infrastructure are unreachable. A determined adversary can phish legitimate users, pivot inside the environment, and eventually reach almost any internal system.
  • Not dismissed on “exploitability” grounds: Downplaying a vulnerability because it seems hard to exploit underestimates skilled threat actors driven by profit, ideology, or opportunistic gain. A serious, motivated attacker can and will chain conditions together.
  • Independent of IOCs and brittle threat intel: Reliance on IP addresses, file names, hashes, or fragile byte patterns encourages a game of whack‑a‑mole. Minor code changes or new infrastructure allow the attacker to bypass such controls while the underlying weakness remains.
  • Scales without forcing bad trade‑offs: Many environments face huge vulnerability backlogs. While prioritization can aid workflow, the protection layer itself should not force organizations to accept exposure simply because there are too many issues to handle manually. Attackers look for any gap that remains unprotected.

6. Why OTTOGUARD.AI fits these requirements

OTTOGUARD.AI is designed to meet the above definition of patchless mitigation across a range of scenarios:

  • It continues to protect even when a vulnerability is still a zero‑day, known only to a small group and not yet disclosed to the affected vendor.
  • It provides coverage when a vendor patch has not yet been created, recognizing that root‑cause analysis, development, testing, and distribution all take time.
  • It maintains mitigation when a patch exists but has not been rolled out, whether due to lack of awareness, resource constraints, or the business impact of downtime.
  • It remains effective even if the official fix is flawed or incomplete, as was the case with Log4J, which required multiple patch iterations before the library was robustly secured.
  • It still protects when applications reach end of life and no further patches are planned, a common reality for business‑critical systems that have been in service for decades.
  • It does not depend on the availability or completeness of published IOCs; protection is not tied to knowing every hash, IP, or signature in advance.
  • It withstands changes in exploit code, as even trivial modifications to the implementation generate different hashes and can easily evade security tools that only track known artifacts.

We expect CISOs to increase information security spending and invest in innovative technologies, attempting to close the workforce gaps while meeting the sophistication of these new advanced AI-powered security threats.

7.  Outcome and next steps

Taken together, these capabilities allow OTTOGUARD.AI to act as a true patchless mitigation layer for CVE‑2025‑24813 and similar high‑impact vulnerabilities. In practice, deployments typically see material reductions in effective risk—often on the order of 90% or more—with especially strong coverage for issues rated Critical or High on CVSS scales. Organizations can achieve this without:

  • Taking production Tomcat servers offline.\
  • Rushing untested patches into sensitive environments.
  • Accepting the possibility that fixes could break application functionality.
  • Relying on patches that may still leave exploitable gaps.

For teams facing a continuously growing wave of vulnerabilities, this approach offers a way to materially lower risk while maintaining operational continuity. To explore how OTTOGUARD.AI can be applied in your environment or to request a live demonstration, contact Virsec via www.virsec.com.