Search
On this page ▾
CVE-2017-12615 — Apache Tomcat on Windows Remote Code Execution Vulnerability

CVE-2017-12615

Apache Tomcat — HTTP PUT with Trailing Slash Uploads JSP Web Shell on Windows; Ransomware Delivery; Patched September 2017; Companion CVE-2017-12617 (All Platforms)
⚠️ CVSS 3.1  8.1 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What Is Apache Tomcat?

Apache Tomcat is the most widely deployed Java web application server in the world, used by enterprises, cloud providers, and developers to run Java Servlet and JSP applications. Tomcat's DefaultServlet handles HTTP requests for static files and can optionally allow file uploads via HTTP PUT. CVE-2017-12615 exploits a Windows-specific quirk in how Tomcat handles PUT requests with trailing slashes to upload JSP web shells — providing immediate remote code execution on any Tomcat deployment where HTTP PUT is enabled on Windows.

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2022. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2017-12615 is a remote code execution vulnerability in Apache Tomcat on Windows caused by improper handling of HTTP PUT requests with trailing path characters. When the DefaultServlet is configured with write permissions enabled, an attacker can upload a JSP file by including a trailing / or %20 in the PUT request URL — bypassing Tomcat's file extension checks. The uploaded JSP is immediately accessible via HTTP and executes in the Tomcat JVM when requested. Fixed in Apache Tomcat 7.0.81. The companion vulnerability CVE-2017-12617 extends JSP upload to all platforms. CISA added CVE-2017-12615 to the KEV catalog in March 2022 reflecting confirmed ransomware use.

Affected Versions

Tomcat Version Status
Apache Tomcat 7.0.0 through 7.0.79 (Windows only) Vulnerable
Apache Tomcat 7.0.81 and later Fixed

Note: HTTP PUT must be enabled via readonly=false in the DefaultServlet configuration. While not the default in stock Tomcat, many enterprise configurations and deployment guides enable it.

Technical Details

Root Cause: Windows Trailing Slash Bypass in HTTP PUT Handler

CVE-2017-12615 is an unrestricted upload vulnerability (CWE-434) in Apache Tomcat's DefaultServlet. The attack exploits a Windows filesystem behavior:

  1. HTTP PUT enabled: The Tomcat DefaultServlet is configured with readonly=false (allowing HTTP PUT)
  2. Extension bypass: Tomcat checks the uploaded filename's extension to prevent JSP uploads; however, on Windows, a PUT request to /shell.jsp/ (trailing slash) or /shell.jsp%20 (URL-encoded space) bypasses this check
  3. Windows creates the file correctly: Windows strips the trailing slash/space and creates the file as shell.jsp on disk
  4. JSP execution: A subsequent GET request to /shell.jsp causes Tomcat to compile and execute the JSP, achieving code execution

Exploitation simplicity: The attack requires only two HTTP requests — one PUT to upload the shell, one GET to execute it. Tools like curl can execute the exploit in seconds once the target is identified.

Attack Characteristics

Attribute Detail
Attack Vector Network — HTTP PUT to Tomcat DefaultServlet
Authentication None required (if PUT is publicly accessible)
Platform Windows only (CVE-2017-12617 covers all platforms)
Payload JSP web shell → arbitrary Java code execution
Ransomware Confirmed — used for ransomware delivery

Discovery

Discovered and published alongside the Tomcat 7.0.81 patch; proof-of-concept code was released within days, leading to rapid mass exploitation.

Exploitation Context

  • Rapid mass exploitation: After PoC release, mass scanning and exploitation campaigns targeted exposed Tomcat deployments globally; automated scripts scanned for Tomcat on ports 8080, 8443, and 443 and attempted JSP upload immediately
  • Ransomware delivery: Ransomware operators used CVE-2017-12615 to establish web shell access to Tomcat servers hosting enterprise Java applications, providing persistent RCE foothold for lateral movement and ransomware deployment; CISA's ransomwareUse: true reflects confirmed campaigns
  • Related CVE-2017-12617: CVE-2017-12617 is a closely related vulnerability that affects all platforms (not just Windows) and was patched in Tomcat 8.5.24, 9.0.1; organizations running Tomcat 8.x and 9.x should patch CVE-2017-12617 as well
  • Enterprise Tomcat exposure: Many enterprise Java deployments exposed Tomcat management interfaces to internal networks with HTTP PUT enabled for deployment automation; attackers with internal network access exploited CVE-2017-12615 for lateral movement
  • CISA KEV (2022): Added March 2022 reflecting ongoing exploitation of unpatched Tomcat deployments

Remediation

CISA BOD 22-01 Deadline: April 15, 2022. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

  1. Upgrade Apache Tomcat — update to Tomcat 7.0.81 or later to patch CVE-2017-12615. Also update Tomcat 8.x to 8.5.24+ and Tomcat 9.x to 9.0.1+ to patch the companion CVE-2017-12617.

  2. Disable HTTP PUT (DefaultServlet readonly) — if file upload via HTTP PUT is not required, ensure the DefaultServlet is configured with readonly=true (the default):

    <!-- In web.xml DefaultServlet init-param: -->
<init-param>
  <param-name>readonly</param-name>
  <param-value>true</param-value>
</init-param>

  3. Scan for uploaded JSP web shells — check the Tomcat webapps directory for recently created .jsp and .jspx files that were not part of the original application deployment.

  4. Restrict network access to Tomcat — place Tomcat behind a reverse proxy (Apache httpd, nginx) that does not forward HTTP PUT requests; direct internet exposure of Tomcat's HTTP port increases exploitation risk.

  5. Monitor for JSP compilation events — alert on Tomcat logs showing JSP compilation of unexpected files; web shell access produces characteristic log patterns.

Key Details

PropertyValue
CVE ID CVE-2017-12615
Vendor / Product Apache — Tomcat
NVD Published2017-09-19
NVD Last Modified2025-10-22
CVSS 3.1 Score8.1
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityHIGH
CWE CWE-434 — Unrestricted Upload of File with Dangerous Type find similar ↗
CISA KEV Added2022-03-25
CISA KEV Deadline2022-04-15
Known Ransomware Use ⚠️ Yes

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2022-04-15. Apply updates per vendor instructions.

Timeline

DateEvent
2017-09-19CVE-2017-12615 published; Apache Tomcat 7.0.81 released patching the Windows JSP upload vulnerability
2017-09-21Proof-of-concept exploit published; rapid adoption by attackers
2022-03-25Added to CISA Known Exploited Vulnerabilities catalog
2022-04-15CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2017-12615 Vulnerability Database
CISA KEV Catalog Entry US Government
Apache Tomcat 7.x Security Fixes Vendor Advisory

Last updated: 2026-05-25

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML