CVE-2025-49124

HIGH

Apache Tomcat < 9.0.106 - Untrusted Search Path

Title source: rule

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

References (2)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/06/16/3

Scores

CVSS v3 8.4

EPSS 0.0005

EPSS Percentile 14.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-426

Status published

Affected Products (4)

apache/tomcat < 9.0.106

org.apache.tomcat.embed/tomcat-embed-core < 11.0.8Maven

org.apache.tomcat/tomcat < 11.0.8Maven

org.apache.tomcat/tomcat-catalina < 11.0.8Maven

Timeline

Published Jun 16, 2025

Tracked Since Feb 18, 2026