CVE-2025-49124

HIGH

Apache Tomcat 9.0.23-9.0.105, 10.1.0-10.1.41, 11.0.0-M1-11.0.7 - Untrusted Search Path via icacls.exe

Title source: llm
STIX 2.1

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

References (2)

Core 2
Core References
Mailing List, Vendor Advisory vendor-advisory
https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/06/16/3

Scores

CVSS v3 8.4
EPSS 0.0035
EPSS Percentile 26.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-426
Status published
Products (4)
apache/tomcat 9.0.23 - 9.0.106
org.apache.tomcat/tomcat 11.0.0-M1 - 11.0.8Maven
org.apache.tomcat/tomcat-catalina 11.0.0-M1 - 11.0.8Maven
org.apache.tomcat.embed/tomcat-embed-core 11.0.0-M1 - 11.0.8Maven
Published Jun 16, 2025
Tracked Since Feb 18, 2026