There has been a recent string of media-hyped open-source component vulnerabilities in Apache Tomcat over the last several weeks. One of these (CVE-2025-24813) is receiving heightened scrutiny because it is reported as having been exploited in the wild just a few days after a proof-of-concept was released.
In addition to CVE-2025-24813, other recently created, similar Tomcat vulnerabilities include CVE-2024-50379 and CVE-2024-56337
While Apache Tomcat is shipped in each server component of ArcGIS Enterprise, we have validated that ArcGIS Enterprise is not vulnerable to any of these three issues because ArcGIS Enterprise software does not meet the requirements for exploit.
Specifically, ArcGIS Enterprise does not enable the non-default write operation on the default Tomcat servlet, which is the first requirement for exploiting any of these CVEs. Without explicitly enabling this option, these three CVEs are not exploitable in Apache Tomcat.
A security scanner run against ArcGIS Enterprise may incorrectly flag these issues as a concern. This is because some security scanners may detect a vulnerable version of Apache Tomcat, however we have confirmed that Tomcat is not used a way that would make it vulnerable to these CVEs.
With that said, users who deploy the ArcGIS Web Adaptor for Java using Tomcat should take the time to validate in their Tomcat installs if the non-default write operation on the default servlet is enabled, check to see if the PUT method is enabled, and plan to upgrade to an unaffected version of Tomcat.
- Esri Software Security & Privacy
Commenting is not enabled for this article.