CVE-2025-49124

| EUVD-2025-18410 HIGH
2025-06-16 [email protected] GHSA-42wg-hm62-jcwg
8.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18410
CVE Published
Jun 16, 2025 - 15:15 nvd
HIGH 8.4

Tags

Microsoft Apache Tomcat Windows Privilege Escalation Suse

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Analysis

A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.

Technical Context

Vulnerability type not specified by vendor. CVSS 8.4 indicates high severity. Affects Apache Tomcat installer for Windows.

Affected Products

['Apache Tomcat installer for Windows']

Remediation

Monitor vendor channels for patch availability.

Priority Score

42
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +42
POC: 0

Vendor Status

Ubuntu

Priority: Medium
tomcat10
Release Status Version
jammy DNE -
upstream not-affected debian: Windows-specific
oracular ignored end of life, was needs-triage
noble not-affected Windows-specific
plucky not-affected Windows-specific
tomcat11
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream not-affected debian: Windows-specific
tomcat9
Release Status Version
upstream not-affected debian: Windows-specific
oracular ignored end of life, was needs-triage
bionic not-affected Windows-specific
focal not-affected Windows-specific
jammy not-affected Windows-specific
noble not-affected Windows-specific
plucky not-affected Windows-specific

Debian

tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.34-0+deb12u2 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
(unstable) not-affected - -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
(unstable) not-affected - -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.43-2~deb11u10 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) not-affected - -

Share

CVE-2025-49124 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy