CVE-2019-0232

HIGH EXPLOITED NUCLEI

Apache Tomcat 7.0.0-7.0.93, 8.5.0-8.5.39, 9.0.0.M1-9.0.17 - Remote Code Execution via CGI Servlet

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-0232 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 15 public exploits from researchers including Metasploit, pyn3rd, jas502n, including a Metasploit module exploits/windows/http/tomcat_cgi_cmdlineargs. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-0232 in Apache Tomcat's CGIServlet by abusing the enableCmdLineArguments setting to execute arbitrary system commands, leading to remote code execution on Windows systems.

Description

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Exploits (15)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/47073

This Metasploit module exploits CVE-2019-0232 in Apache Tomcat's CGIServlet by abusing the enableCmdLineArguments setting to execute arbitrary system commands, leading to remote code execution on Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0 or prior for Windows
No auth needed
Prerequisites: enableCmdLineArguments setting must be set to true · CGI script accessible on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 189 stars
by pyn3rd · remote
https://github.com/pyn3rd/CVE-2019-0232

This PoC exploits CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat's CGI Servlet on Windows. It demonstrates command injection via a maliciously crafted request to a batch file in the CGI directory.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat 8.5.39 (with CGI Servlet enabled)
No auth needed
Prerequisites: Tomcat with CGI Servlet enabled · Windows OS · Ability to place files in WEB-INF/cgi-bin
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 80 stars
by jas502n · remote
https://github.com/jas502n/CVE-2019-0232

This repository contains a Python script that exploits CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat on Windows via the CGI servlet. The script constructs a malicious URL to execute arbitrary commands by appending them to a CGI script path.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat 8.5.39 (with CGI enabled)
No auth needed
Prerequisites: Apache Tomcat with CGI servlet enabled · Windows OS · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 22 stars
by jaiguptanick · remote
https://github.com/jaiguptanick/CVE-2019-0232

This repository contains a functional Python exploit for CVE-2019-0232, targeting Apache Tomcat's CGI Servlet on Windows. The exploit leverages command injection via URL parameters to achieve remote code execution and establish a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93
No auth needed
Prerequisites: Apache Tomcat with CGI Servlet enabled · enableCmdLineArguments set to true · Windows OS · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 20 stars
by setrus · poc
https://github.com/setrus/CVE-2019-0232

This repository provides a detailed writeup and step-by-step guide for exploiting CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat's CGI Servlet on Windows. It includes configuration steps, manual testing, and references to a Metasploit module for exploitation.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 7.0.42 (Windows)
No auth needed
Prerequisites: Apache Tomcat 7.0.42 on Windows · CGI Servlet enabled · Batch files in the CGI directory · Non-default configuration with privileged context
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by cyy95 · poc
https://github.com/cyy95/CVE-2019-0232-EXP

This repository provides a proof-of-concept exploit for CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat. The exploit leverages improper input validation in the CGI Servlet to execute arbitrary commands via crafted URLs.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93
No auth needed
Prerequisites: CGI Servlet enabled with specific configurations · Privileged context in Tomcat · Access to crafted URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Jorge2Rubio · remote
https://github.com/Jorge2Rubio/CVE-2019-0232

This Python script automates the exploitation of CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat's CGI Servlet on Windows. It supports both command execution and reverse shell modes, leveraging certutil to download and execute a netcat binary for reverse shell functionality.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (Windows) with CGI Servlet enabled
No auth needed
Prerequisites: Target URL and port · Vulnerable Apache Tomcat instance with CGI Servlet enabled · For reverse shell: netcat binary and listener setup
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by Dharan10 · remote
https://github.com/Dharan10/CVE-2019-0232

This Python script exploits CVE-2019-0232 in Apache Tomcat by leveraging improper handling of `ism.bat` to execute arbitrary commands, downloading `nc.exe` via `certutil` and establishing a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 6.x, 7.x, 8.x, 9.x
No auth needed
Prerequisites: Vulnerable Apache Tomcat instance · Access to a server hosting `nc.exe` · Netcat listener set up on attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 1 stars
by Shockp · pythonpoc
https://github.com/Shockp/CVE-Exploits/tree/main/CVE-2019-0232 (Tomcat cgi)

The repository contains a functional Python exploit for CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat's CGI servlet. The exploit uses a crafted HTTP request to download and execute a reverse shell payload via certutil and nc.exe.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (CGI servlet)
No auth needed
Prerequisites: Vulnerable Tomcat instance with CGI servlet enabled · Access to a vulnerable CGI script path · Network access to the target · A listener setup for the reverse shell
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by r4vl1t0 · remote
https://github.com/r4vl1t0/CVE-2019-0232

This repository contains a functional exploit for CVE-2019-0232, leveraging a CGI endpoint to achieve unauthenticated remote code execution (RCE) via certutil to download and execute a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (CGI Servlet)
No auth needed
Prerequisites: HTTP server hosting nc.exe · Netcat listener · Target URL with vulnerable CGI endpoint
devstral-2 · analyzed Mar 20, 2026 Full analysis →
nomisec WORKING POC
by x3m1Sec · remote
https://github.com/x3m1Sec/CVE-2019-0232_tomcat_cgi_exploit

This Python script exploits CVE-2019-0232, a CGI vulnerability in Apache Tomcat, by downloading and executing a reverse shell payload (nc.exe) on the target system. It automates the exploitation process with customizable parameters for target and attacker configurations.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2019-0232)
No auth needed
Prerequisites: Python 3.x · requests library · Netcat (nc.exe) hosted on attacker's server · Listener set up for reverse shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by xsxtw · poc
https://github.com/xsxtw/CVE-2019-0232

This PoC demonstrates CVE-2019-0232, a remote code execution vulnerability in Apache Tomcat's CGI Servlet on Windows. It leverages improper handling of command-line arguments to execute arbitrary commands via a crafted HTTP request.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat 8.5.39 (with CGI Servlet enabled)
No auth needed
Prerequisites: Tomcat with CGI Servlet enabled · Windows OS · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Yakov Shafranovich, sinn3r · rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb

This Metasploit module exploits CVE-2019-0232 in Apache Tomcat's CGIServlet by abusing the enableCmdLineArguments setting to execute system commands, leading to remote code execution on Windows systems.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat 9.0 or prior for Windows
No auth needed
Prerequisites: enableCmdLineArguments setting must be set to true · Access to a CGI script endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
HIGHby DhiyaneshDk
Shodan: http.html:"apache tomcat" || http.title:"apache tomcat" || http.html:"jk status manager" || cpe:"cpe:2.3:a:apache:tomcat"
FOFA: body="jk status manager" || body="apache tomcat" || title="apache tomcat"

References (32)

Core 32
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107906
Mailing List mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/May/4
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1712
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190419-0001/

Scores

CVSS v3 8.1
EPSS 0.9422
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2021-04-12
CWE
CWE-78
Status published
Products (3)
apache/tomcat 9.0.0 milestone1 (26 CPE variants)
apache/tomcat 7.0.0 - 7.0.93
org.apache.tomcat.embed/tomcat-embed-core 9.0.0.M1 - 9.0.17Maven
Published Apr 15, 2019
Tracked Since Feb 18, 2026