CVE-2025-49124

EUVD-2025-18410

16.06.2025, 15:15

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	8.4 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
apache	tomcat	9.0.23 ≤ 𝑥 < 9.0.106
apache	tomcat	10.1.0 ≤ 𝑥 < 10.1.42
apache	tomcat	11.0.0 ≤ 𝑥 < 11.0.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.34-0+deb12u2 fixed
bookworm (security)	10.1.52-1~deb12u1 fixed
forky	10.1.52-1 fixed
sid	10.1.52-1 fixed
trixie	10.1.40-1 fixed
trixie (security)	10.1.52-1~deb13u1 fixed

tomcat11

forky	11.0.18-1 fixed
sid	11.0.18-1 fixed
trixie	11.0.6-1 fixed
trixie (security)	11.0.15-1~deb13u1 fixed

tomcat9

bookworm	9.0.70-2 fixed
bullseye	9.0.43-2~deb11u10 fixed
bullseye (security)	9.0.107-0+deb11u2 fixed
forky	9.0.115-1 fixed
sid	9.0.115-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat10

jammy	dne
noble	not-affected
oracular	ignored
plucky	not-affected

tomcat11

jammy	dne
noble	dne
oracular	dne
plucky	dne

tomcat9

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
oracular	ignored
plucky	not-affected

Common Weakness Enumeration

CWE-426 - Untrusted Search Path
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

References

https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv

http://www.openwall.com/lists/oss-security/2025/06/16/3