CVE-2025-49124

CWE-4267 documents6 sources

Severity

8.4HIGH

EPSS

0.2%

top 53.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedJun 16

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are r…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.5 | Impact: 5.9

Affected Packages5 packages

▶NVDapache/tomcat9.0.23 — 9.0.106+2

▶Mavenorg.apache.tomcat:tomcat11.0.0-M1 — 11.0.8+2

▶Mavenorg.apache.tomcat:tomcat-catalina11.0.0-M1 — 11.0.8+2

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M1 — 11.0.8+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.7+4

🔴Vulnerability Details

GHSA

Apache Tomcat installer for Windows has an untrusted search path vulnerability↗2025-06-16

▶

CVEList

Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows↗2025-06-16

▶

OSV

CVE-2025-49124: Untrusted Search Path vulnerability in Apache Tomcat installer for Windows↗2025-06-16

▶

OSV

Apache Tomcat installer for Windows has an untrusted search path vulnerability↗2025-06-16

▶

📋Vendor Advisories

Microsoft

x86/mce: Work around an erratum on fast string copy instructions↗2025-02-11

▶

Debian

CVE-2025-49124: tomcat10 - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. Duri...↗2025

▶