Critical Apache Tomcat Flaws Expose Servers to RCE and Console Hijacking

Apache Software Foundation Patches Critical Tomcat Vulnerabilities Leading to Potential RCE

HIGH
October 28, 2025
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities

Products & Tech

Apache Tomcat

CVE Identifiers

CVE-2025-55752
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1083Discovery

File and Directory Discovery

T1505.003Persistence

Web Shell

T1059Execution

Command and Scripting Interpreter

T1055Defense Evasion

Process Injection

Full Report

Executive Summary

The Apache Software Foundation has disclosed and patched two significant vulnerabilities in its widely deployed Apache Tomcat web server. The most critical flaw, CVE-2025-55752, is a directory traversal vulnerability that could lead to remote code execution (RCE) under certain non-default configurations. A second, lower-severity issue, CVE-2025-55754, involves improper handling of ANSI escape sequences that could allow an attacker to manipulate console output on Windows systems. The vulnerabilities affect Tomcat versions 9, 10, and 11, prompting an urgent call for administrators to apply the updates released on October 27, 2025.

Vulnerability Details

CVE-2025-55752: Directory Traversal with Potential RCE (Severity: Important)

This vulnerability is a regression of a previous bug fix. It arises from the way Tomcat handles URL rewrites that affect query parameters. The server normalizes the rewritten URL before it is decoded, creating an opportunity for an attacker to craft a malicious request URI. This can bypass security constraints designed to protect sensitive directories like /WEB-INF/ (which contains application classes and libraries) and /META-INF/ (which holds configuration data).

The direct impact is information disclosure. However, if the server has been configured to allow HTTP PUT requests (which is not the default setting), an attacker can exploit this directory traversal to upload a malicious file (e.g., a JSP web shell) to a web-accessible directory, achieving remote code execution (T1505.003 - Web Shell).

CVE-2025-55754: Improper Neutralization of ANSI Escape Sequences (Severity: Low)

This flaw affects Tomcat running on Windows systems where the console supports ANSI escape sequences. An attacker can craft a malicious URL or other input that, when logged by Tomcat, injects ANSI escape sequences into the log files. If an administrator views these logs in a compatible terminal, the escape sequences could be interpreted, allowing the attacker to manipulate the console display, potentially overwrite clipboard content, or trick the administrator into executing a command.

Affected Systems

The vulnerabilities impact a wide range of Tomcat versions:

  • Apache Tomcat 11: 11.0.0-M1 to 11.0.10
  • Apache Tomcat 10: 10.1.0-M1 to 10.1.44
  • Apache Tomcat 9: 9.0.0.M11 to 9.0.108

Users are urged to upgrade to the following patched versions:

  • Tomcat 11.0.11 or later
  • Tomcat 10.1.45 or later
  • Tomcat 9.0.109 or later

Exploitation Status

There are no public reports of active exploitation for these vulnerabilities. However, vulnerabilities in ubiquitous software like Apache Tomcat are prime targets for automated scanning and exploitation by threat actors once a proof-of-concept becomes available.

Impact Assessment

  • CVE-2025-55752: The primary risk is information disclosure from protected directories. In the worst-case scenario (with PUT enabled), the impact is a full server compromise via RCE, allowing an attacker to steal data, pivot to other network systems, or use the server for malicious activities.
  • CVE-2025-55754: The impact is lower but still significant. It could facilitate social engineering attacks against administrators, leading to further compromise if an admin is tricked into executing malicious commands.

Cyber Observables for Detection

Type Value Description
url_pattern ..; or other path traversal sequences in query params Look for suspicious path traversal sequences in the query string portion of URLs in web server access logs, especially in rewritten requests.
log_source Tomcat log files (catalina.out) Scan logs for raw ANSI escape sequences (e.g., \u001b[...) which could indicate attempts to exploit CVE-2025-55754.
http_method PUT Monitor for PUT requests to unexpected endpoints, which could signify an attempt to upload a file via CVE-2025-55752.

Detection Methods

  • Version Scanning: Use asset inventory and vulnerability management tools to identify all instances of Apache Tomcat in your environment and check if they are running a vulnerable version.
  • Configuration Review: Specifically check Tomcat configurations (web.xml) to determine if PUT requests are enabled (the readonly initialization parameter is set to false). Systems with this configuration are at much higher risk and should be prioritized for patching.
  • Web Application Firewall (WAF): Deploy WAF rules to detect and block common directory traversal patterns and the upload of suspicious file types like .jsp.
  • D3FEND Techniques: Employ D3-NTA: Network Traffic Analysis to monitor for anomalous HTTP requests and D3-FA: File Analysis on uploaded files.

Remediation Steps

  1. Upgrade Tomcat: The primary and most effective remediation is to upgrade all Tomcat instances to a patched version (11.0.11+, 10.1.45+, or 9.0.109+).
  2. Disable PUT Requests: As a workaround and general best practice, ensure that PUT requests are disabled unless absolutely necessary for application functionality. This can be done by ensuring the readonly init parameter for the Default servlet is set to true in conf/web.xml.
  3. Sanitize Log Output: To mitigate CVE-2025-55754, ensure that any tools used to view logs (e.g., less -r, cat) are configured to properly handle or strip escape sequences, or use log viewers that are not susceptible.
  4. D3FEND Countermeasures:

Timeline of Events

1
October 27, 2025
The Apache Software Foundation releases security advisories and patched versions for Tomcat.
2
October 28, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Upgrading to a patched version of Apache Tomcat is the most effective mitigation.

Mapped D3FEND Techniques:

D3-SU

Software Configuration

M1054enterprise

As a workaround, ensure the 'readonly' parameter is set to true to disable PUT requests, mitigating the RCE vector for CVE-2025-55752.

Mapped D3FEND Techniques:

D3-ACH

Restrict Web-Based Content

M1021enterprise

Use a Web Application Firewall (WAF) to filter for directory traversal and other malicious request patterns.

Mapped D3FEND Techniques:

D3-ITF

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The definitive countermeasure for both CVE-2025-55752 and CVE-2025-55754 is to upgrade all Apache Tomcat instances to a patched version. Administrators must identify all vulnerable servers and update them to Tomcat 11.0.11+, 10.1.45+, or 9.0.109+. Given the ubiquity of Tomcat, a comprehensive asset inventory is the first step. Patching should be prioritized based on the server's exposure and configuration. Internet-facing servers and those confirmed to have PUT requests enabled (readonly=false) are at the highest risk for RCE and must be patched immediately. This action directly closes the directory traversal and ANSI escape sequence vulnerabilities at the source code level.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

As a critical mitigating control for CVE-2025-55752, administrators must review and harden their Tomcat configurations. Specifically, locate the Default servlet definition in conf/web.xml and ensure the readonly initialization parameter is set to true (or not present, as true is the default). Setting <param-value>true</param-value> explicitly disables HTTP methods like PUT and DELETE. This single configuration change prevents the directory traversal flaw from being escalated to remote code execution, as the attacker would no longer have a method to upload their malicious file. This is an essential defense-in-depth measure that should be standard practice for all production Tomcat deployments, as write operations should rarely be handled by the default servlet.

Sources & References

[SECURITY] CVE-2025-55752 Apache Tomcat - Directory traversal via rewrite with possible RCE if PUT is enabled
Apache Mail Archives (lists.apache.org) October 27, 2025
Critical Apache Tomcat Vulnerabilities Put Servers at Risk of RCE Attacks
Cyberpress (cyberpress.com) October 28, 2025
Apache Tomcat Vulnerability: Update Now to Avoid Security Risks
Red Hot Cyber (redhotcyber.com) October 28, 2025
Apache Tomcat 9 vulnerabilities
Apache Tomcat (tomcat.apache.org) October 27, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Apache TomcatVulnerabilityRCEDirectory TraversalPatch ManagementJava

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next