CVE-2009-3548

Apache Tomcat 5.5.0-5.5.28 and 6.0.0-6.0.20 - Unauthenticated Privilege Escalation via Default Blank Admin Password

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2009-3548. PoCs published by Metasploit, MC, jduck, including Metasploit module auxiliary/scanner/http/tomcat_mgr_login.

AI-analyzed exploit summary This Metasploit module exploits Apache Tomcat Manager's authenticated file upload functionality to deploy a malicious WAR archive containing a JSP payload, achieving remote code execution. It handles CSRF tokens and session management to bypass protections.

Description

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

Exploits (5)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotemultiple
https://www.exploit-db.com/exploits/31433

This Metasploit module exploits Apache Tomcat Manager's authenticated file upload functionality to deploy a malicious WAR archive containing a JSP payload, achieving remote code execution. It handles CSRF tokens and session management to bypass protections.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with exposed manager application)
Auth required
Prerequisites: Valid credentials for Tomcat Manager · Exposed /manager/html/upload endpoint · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit SCANNER
by MC · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/tomcat_mgr_login.rb

This Metasploit module attempts to brute-force login credentials for the Tomcat Application Manager by testing various default or weak credentials. It does not exploit a vulnerability but scans for weak authentication configurations.

Classification
Scanner 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (multiple versions)
Auth required
Prerequisites: Access to Tomcat Manager interface · List of default/weak credentials
devstral-2 · analyzed Jun 05, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb

This Metasploit module exploits Apache Tomcat's manager application to upload and execute a malicious WAR file, leveraging authenticated access. It handles CSRF tokens, platform detection, and payload deployment/cleanup.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with exposed manager app)
Auth required
Prerequisites: Valid credentials for Tomcat manager · Exposed /manager/html/upload endpoint
devstral-2 · analyzed Apr 24, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by jduck · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_deploy.rb

This Metasploit module exploits CVE-2009-3548 by deploying a malicious WAR file to an Apache Tomcat server via the exposed manager application, achieving authenticated remote code execution. It supports multiple platforms and architectures, and includes functionality for automatic target detection.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with exposed manager application)
Auth required
Prerequisites: Valid credentials for the Tomcat manager application · Exposed manager application endpoint
devstral-2 · analyzed Apr 24, 2026 Full analysis →
exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/16317

This Metasploit module exploits Apache Tomcat's Manager application by uploading a malicious WAR archive containing a JSP payload via PUT request, achieving authenticated remote code execution. It supports automatic target detection and cleanup by undeploying the malicious application post-exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions with exposed Manager application)
Auth required
Prerequisites: Valid credentials for Tomcat Manager · Exposed Tomcat Manager interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (26)

Core 26
Core References
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=127420533226623&w=2
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=136485229118404&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/40330
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1559
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19414
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=133469267822771&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/54182
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-6.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57126
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7033
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36954
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3185
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-5.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507720/100/0/threaded
Various Sources x_refsource_misc
http://markmail.org/thread/wfu4nff5chvkb6xp
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/516397/100/0/threaded
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=139344343412337&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023146

Scores

EPSS 0.8690
EPSS Percentile 99.5%

Details

CWE
CWE-255
Status published
Products (47)
apache/tomcat 3.0
apache/tomcat 3.1
apache/tomcat 3.1.1
apache/tomcat 3.2
apache/tomcat 3.2.1
apache/tomcat 3.2.2 (2 CPE variants)
apache/tomcat 3.2.3
apache/tomcat 3.2.4
apache/tomcat 3.3
apache/tomcat 3.3.1
... and 37 more
Published Nov 12, 2009
Tracked Since Feb 18, 2026