CVE-2025-49124
Untrusted Search Path vulnerability in tomcat-embed-core (Maven)
What is CVE-2025-49124 About?
This Untrusted Search Path vulnerability in the Apache Tomcat installer for Windows allows for arbitrary code execution during installation. It occurs because `icacls.exe` is called without a full path, making it susceptible to a malicious executable placed earlier in the system's PATH. Exploitation is relatively easy if an attacker can manipulate the system's PATH variable or place a malicious binary in a privileged location.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.23, <9.0.106
- >10.1.0, <10.1.42
- >11.0.0-M1, <11.0.8
- org.apache.tomcat:tomcat
- >9.0.23, <9.0.106
- >10.1.0, <10.1.42
- >11.0.0-M1, <11.0.8
- org.apache.tomcat:tomcat-catalina
- >9.0.23, <9.0.106
- >10.1.0, <10.1.42
- >11.0.0-M1, <11.0.8
Technical Details
The vulnerability exists in the Apache Tomcat installer for Windows, affecting versions from 11.0.0-M1 through 11.0.7, 10.1.0 through 10.1.41, and 9.0.23 through 9.0.105. During the installation process, the installer executes the icacls.exe utility. However, it does so by calling icacls.exe directly, without specifying its full, absolute path (e.g., C:\Windows\System32\icacls.exe). This reliance on the system's PATH environment variable creates an untrusted search path vulnerability. If an attacker has managed to place a malicious executable named icacls.exe in a directory that appears earlier in the system's PATH than the legitimate System32 directory, the installer will inadvertently execute the attacker's malicious program instead of the genuine icacls.exe. This leads to arbitrary code execution with the privileges of the installer process, typically administrative.
What is the Impact of CVE-2025-49124?
Successful exploitation may allow attackers to execute arbitrary code on the system with elevated privileges, leading to full system compromise, persistent backdoor installation, and unauthorized access to sensitive information or resources.
What is the Exploitability of CVE-2025-49124?
Exploitation complexity is moderate. It requires an attacker to either modify the system's PATH environment variable or place a malicious icacls.exe file in a directory that is searched before the legitimate system directory (e.g., System32). This typically implies some level of prior access or privilege on the system (e.g., ability to write to certain system directories or modify user-specific PATH settings), but a less privileged user exploit could lead to privilege escalation. The attack is local, as it occurs during the installation process on the affected machine. Exploitation requires the user to run the vulnerable Apache Tomcat installer while the malicious conditions are in place. The likelihood of exploitation is increased if the system has weak access controls allowing unauthorized PATH modifications or file placement.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-49124?
Available Upgrade Options
- org.apache.tomcat:tomcat
- >9.0.23, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat:tomcat
- >10.1.0, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat:tomcat
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.23, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
- org.apache.tomcat:tomcat-catalina
- >9.0.23, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat:tomcat-catalina
- >10.1.0, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2025/06/16/3
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8
- https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv
- https://github.com/apache/tomcat/commit/28726cc2e63bed68771f5eb0f65a78dc7080571823
- https://osv.dev/vulnerability/GHSA-42wg-hm62-jcwg
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
- https://github.com/apache/tomcat/commit/c56456cda8151c9504dfb7985700824559d769a7
- https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49
- https://github.com/apache/tomcat
- https://nvd.nist.gov/vuln/detail/CVE-2025-49124
What are Similar Vulnerabilities to CVE-2025-49124?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-37731 , CVE-2021-43285 , CVE-2020-13936 , CVE-2019-19524
