False Positive – Apache Tomcat RCE (CVE-2025-24813) – Version 9.0.102 detected, but vulnerability still reported

Vulnerability Tests
1

We encountered a false positive related to the following vulnerability:

Apache Tomcat RCE Vulnerability (CVE-2025-24813)
Reported version: 9.0.97
Detection method: remote_banner (80%)
Port: 443/tcp
NVT OID: 1.3.6.1.4.1.25623.1.0.154161

We manually verified the Tomcat instance and confirmed that it is running version 9.0.102, which is not affected by this vulnerability.

Example response from a non-existent resource:

curl -k https://<host>/doesnotexist
...
<h3>Apache Tomcat/9.0.102</h3>

HTTP header also confirms normal operation:

curl -k -I https://<host>
HTTP/1.1 200 OK
...

Additionally, a full-text search for 9.0.97 across the entire system yielded no matches, ruling out remnants of an old installation.

Could you please verify whether this is a false positive or if there is another explanation for this detection? Since version 9.0.102 is in use and confirmed via live server response, we kindly request a review of the detection logic or an adjustment to avoid this false positive in future scans.

Thank you for your support!

2

You can check where the version 9.0.97 was detected from (this is not a version number which is created on the fly but actually reported by the target in question) based on the output of the following VT (You need to adjust the reporting level within your GUI to include 0.0 / log level results):

Name: Apache Tomcat Detection Consolidation
OID: 1.3.6.1.4.1.25623.1.0.107652

Most likely the version in a changelog or a readme hasn’t been raised during the update process and if version 9.0.102 is installed these could be adjusted accordingly on the target.

2 Likes