CVE-2016-5425

HIGH

Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2016-5425. PoCs published by Dawid Golunski, h00die, Dawid Golunski <[email protected]>, including Metasploit module exploits/linux/local/tomcat_rhel_based_temp_priv_esc.

AI-analyzed exploit summary This exploit leverages insecure permissions on the tomcat.conf file in RedHat-based distributions to inject malicious configurations, creating a root shell and reverse shell via systemd-tmpfiles execution.

Description

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

Exploits (2)

exploitdb WORKING POC
by Dawid Golunski · textlocallinux
https://www.exploit-db.com/exploits/40488

This exploit leverages insecure permissions on the tomcat.conf file in RedHat-based distributions to inject malicious configurations, creating a root shell and reverse shell via systemd-tmpfiles execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (RedHat-based distros packaging)
No auth needed
Prerequisites: Write access to /usr/lib/tmpfiles.d/tomcat.conf as tomcat user · systemd-tmpfiles execution (e.g., on reboot or via service)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC MANUAL
by h00die, Dawid Golunski <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb

This Metasploit module exploits CVE-2016-5425, a privilege escalation vulnerability in Apache Tomcat on RedHat-based systems due to improper file permissions on /usr/lib/tmpfiles.d/tomcat.conf. It injects a cron job via systemd-tmpfiles to execute a payload with root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat versions before 7.0.54-8 on RedHat-based systems
No auth needed
Prerequisites: Access to a vulnerable RedHat-based system with Apache Tomcat < 7.0.54-8 · Write permissions to /usr/lib/tmpfiles.d/tomcat.conf
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036979
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/93472
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2016/10/10/2
Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2046.html
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/40488/

Scores

CVSS v3 7.8
EPSS 0.0378
EPSS Percentile 88.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-276
Status published
Products (1)
apache/tomcat
Published Oct 13, 2016
Tracked Since Feb 18, 2026