{"id":7988,"date":"2025-10-28T10:03:28","date_gmt":"2025-10-28T10:03:28","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/10\/28\/apache-tomcat-security-vulnerabilities-expose-servers-to-remote-code-execution-attacks\/"},"modified":"2025-10-28T10:03:28","modified_gmt":"2025-10-28T10:03:28","slug":"apache-tomcat-security-vulnerabilities-expose-servers-to-remote-code-execution-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/10\/28\/apache-tomcat-security-vulnerabilities-expose-servers-to-remote-code-execution-attacks\/","title":{"rendered":"Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks"},"content":{"rendered":"

Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

The Apache Software Foundation has highlighted critical flaws in Apache Tomcat, a widely used open-source Java servlet container that powers numerous web applications.<\/p>\n

On October 27, 2025, Apache disclosed two vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting multiple versions of Tomcat.<\/p>\n

While the first poses a risk of remote code execution<\/a> (RCE) under specific configurations, the second enables potential console manipulation, underscoring the need for immediate patching in enterprise environments.<\/p>\n

These issues stem from regressions and unescaped sequences, potentially exposing servers to unauthorized access and control.\u200b<\/p>\n

Directory Traversal Flaw Enables RCE<\/strong><\/h2>\n

The more severe vulnerability, CVE-2025-55752<\/a>, involves a directory traversal bug introduced in the fix for an earlier issue (bug 60013).<\/p>\n

In this regression, rewritten URLs are normalized before decoding, allowing attackers to manipulate query parameters and bypass protections for sensitive directories like \/WEB-INF\/ and \/META-INF\/.<\/p>\n

If PUT requests are enabled, a configuration typically restricted to trusted users, malicious files can be uploaded, leading to RCE.<\/p>\n

Discovered by Chumy Tsai of CyCraft Technology, this flaw is rated as Important severity, emphasizing its potential impact on unpatched systems running Tomcat in production.\u200b<\/p>\n

Affected versions include Apache Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0-M11 to 9.0.108, with older end-of-life (EOL) releases also vulnerable.<\/p>\n

The technical specifics revolve around URL rewriting rules that inadvertently allow path manipulation, exploiting the order of normalization and decoding processes to evade security constraints.\u200b<\/p>\n

\n\n\n\n\n\n
CVE ID<\/th>\nSeverity<\/th>\nAffected Versions<\/th>\nCVSS Score<\/th>\nTechnical Description<\/th>\nCredit<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-55752<\/td>\nImportant<\/td>\n11.0.0-M1 to 11.0.10
10.1.0-M1 to 10.1.44
9.0.0.M11 to 9.0.108<\/td>\n		N\/A (Important)<\/td>\nDirectory traversal via rewritten URL normalization before decoding; enables file upload and RCE if PUT enabled. Bypasses \/WEB-INF\/ and \/META-INF\/ protections.<\/td>\nChumy Tsai (CyCraft) lists.apache<\/a>\u200b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

\u200b<\/p>\n

Console Manipulation Through Log Escapes<\/strong><\/h2>\n

In addition to the traversal issue, CVE-2025-55754<\/a> addresses improper neutralization of ANSI escape sequences in Tomcat\u2019s log messages.<\/p>\n

On Windows systems with ANSI-supporting consoles, attackers could craft URLs to inject sequences that manipulate the console display, clipboard, or even trick administrators into executing commands.<\/p>\n

Although no direct attack vector was identified for other OSes, the potential for social engineering<\/a> remains a concern. Rated Low severity, this flaw affects Tomcat 11.0.0-M1 to 11.0.10, 10.1.0-M1 to 10.1.44, and 9.0.0.40 to 9.0.108, plus select EOL versions like 8.5.60 to 8.5.100.\u200b<\/p>\n

Identified by Elysee Franchuk of MOBIA Technology Innovations, the issue arises from unescaped logs, allowing control sequences to influence terminal behavior without authentication<\/a>.\u200b<\/p>\n

\n\n\n\n\n\n
CVE ID<\/th>\nSeverity<\/th>\nAffected Versions<\/th>\nCVSS Score<\/th>\nTechnical Description<\/th>\nCredit<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-55754<\/td>\nLow<\/td>\n11.0.0-M1 to 11.0.10
10.1.0-M1 to 10.1.44
9.0.0.40 to 9.0.108<\/td>\n		N\/A (Low)<\/td>\nUnescaped ANSI sequences in logs enable console\/clipboard manipulation on Windows; potential command trickery via crafted URLs.<\/td>\nElysee Franchuk (MOBIA) lists.apache<\/a>\u200b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Experts note that while less critical, combining this with other flaws could amplify threats in console-monitored setups.\u200b<\/p>\n

Mitigations<\/strong><\/h2>\n

Apache urges users to upgrade to mitigated versions: Tomcat 11.0.11, 10.1.45, or 9.0.109 and later, which address both vulnerabilities through enhanced URL handling and log escaping.<\/p>\n

Organizations should audit configurations, particularly those enabling PUT requests alongside rewrites, to prevent RCE chains. Given Tomcat\u2019s prevalence in Java-based applications, unpatched instances could face targeted attacks, echoing earlier exploits like CVE-2025-24813<\/a>.\u200b<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks The Apache Software Foundation has highlighted critical flaws in Apache Tomcat, a widely used open-source Java servlet container that powers numerous web applications. On October 27, 2025, Apache disclosed two vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting multiple versions of Tomcat. While the first poses a […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-7988","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7988"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=7988"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/7988\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=7988"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=7988"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=7988"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}