CVE-2025-49124

HIGH EPSS 26.6%

Published Jun 16, 20251y ago · Modified Jun 17, 20261w ago

8.4 CVSS 3.1

High

Published Jun 16, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVSS Details

Base Score

8.4

Exploitability

2.5

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

26.6% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-426

Affected Products 3

Vendor	Product	Version	Range
apache	tomcat	*	≥9.0.23 – <9.0.106
apache	tomcat	*	≥10.1.0 – <10.1.42
apache	tomcat	*	≥11.0.0 – <11.0.8

References 2

openwall.com http://www.openwall.com/lists/oss-security/2025/06/16/3

Mailing ListThird Party Advisory
lists.apache.org https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv

Mailing ListVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.