cbcvebase.
CVE-2009-3548
published 2009-11-12

CVE-2009-3548: The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the…

PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.00%
99.5th percentile
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

Affected

144 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

url/manager/html/upload
path/manager/html/upload
path/manager/html/undeploy
path/manager
cookieCSRF_NONCE=
  • Detect POST requests to /manager/html/upload with multipart/form-data content type, which is the upload vector for WAR-based payload delivery against the Tomcat Manager application.
  • Monitor for authenticated access to the Tomcat Manager app (/manager/html) followed immediately by a WAR file upload POST and subsequent JSP execution GET request — this sequence is characteristic of this exploit.
  • Alert on default or blank credentials ('admin' with blank password) being used to authenticate to the Tomcat Manager application, as CVE-2009-3548 specifically concerns a blank default ADMIN password in the Windows installer.
  • Look for random alphanumeric application base names (4–32 chars) deployed and then immediately undeployed via /manager/html/undeploy — this matches the exploit's cleanup behavior.
  • Detect HTTP responses matching Apache Tomcat or Coyote server banners on non-standard ports, as the exploit fingerprints the server via the Server header pattern /Apache.*(Coyote|Tomcat)/.
  • ·CVE-2009-3548 may overlap with CVE-2010-4094 (IBM Rational Quality Manager/Test Lab Manager default ADMIN password), so detections targeting default Tomcat Manager credentials may apply to both CVEs.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.