CVE-2009-3843

Exploitation Summary

EIP tracks 4 public exploits for CVE-2009-3843. PoCs published by MC, jduck, including Metasploit module auxiliary/scanner/http/tomcat_mgr_login.

AI-analyzed exploit summary This Metasploit module attempts to brute-force login credentials for the Tomcat Application Manager by testing default or provided usernames and passwords. It checks for HTTP 401 responses and validates successful logins.

Description

HP Operations Manager 8.10 on Windows contains a "hidden account" in the XML file that specifies Tomcat users, which allows remote attackers to conduct unrestricted file upload attacks, and thereby execute arbitrary code, by using the org.apache.catalina.manager.HTMLManagerServlet class to make requests to manager/html/upload.

Exploits (4)

metasploit SCANNER

by MC · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/tomcat_mgr_login.rb

View Code ZIP pw:eip

This Metasploit module attempts to brute-force login credentials for the Tomcat Application Manager by testing default or provided usernames and passwords. It checks for HTTP 401 responses and validates successful logins.

Classification

Scanner 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Apache Tomcat (multiple versions)

Auth required

Prerequisites: Access to Tomcat Manager interface · Valid or default credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Jun 05, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits Apache Tomcat's Manager application to upload and execute a malicious WAR file, leveraging authenticated access to achieve remote code execution. It handles CSRF tokens, session management, and payload deployment/cleanup.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (with exposed Manager application)

Auth required

Prerequisites: Valid credentials for Tomcat Manager · Exposed /manager/html/upload endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by jduck · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_deploy.rb

View Code ZIP pw:eip

This Metasploit module exploits Apache Tomcat's Manager application to deploy a malicious WAR archive containing a JSP payload, achieving authenticated remote code execution. It supports multiple platforms (Java, Windows, Linux) and includes functionality for automatic target detection and cleanup.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (with exposed Manager application)

Auth required

Prerequisites: Valid credentials for Tomcat Manager · Exposed Tomcat Manager application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 24, 2026 Full analysis →

exploitdb WORKING POC

rubyremotemultiple

https://www.exploit-db.com/exploits/16317

View Code ZIP pw:eip

This Metasploit module exploits Apache Tomcat's Manager application to deploy a malicious WAR archive containing a JSP payload, achieving remote code execution. It supports multiple platforms and architectures, and includes automatic target detection.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (versions with exposed Manager application)

Auth required

Prerequisites: Valid credentials for Tomcat Manager · Exposed Tomcat Manager application

MITRE ATT&CK