CVE-2025-49124: 
Apache Tomcat vulnerability analysis and mitigation

An Untrusted Search Path vulnerability (CVE-2025-49124) was discovered in the Apache Tomcat installer for Windows. The vulnerability was identified on June 16, 2025, affecting multiple versions of Apache Tomcat: versions 11.0.0-M1 through 11.0.7, 10.1.0 through 10.1.41, and 9.0.23 through 9.0.105. The vulnerability was discovered by T. Doğa Gelişli (Openwall).

The vulnerability stems from the Tomcat installer for Windows using icacls.exe without specifying a full path during the installation process. This is classified as an Untrusted Search Path vulnerability (CWE-426). The CVSS v3.1 base score is 8.4 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, as assessed by CISA-ADP (NVD).

The vulnerability has been rated with a severity of 'High' with a CVSS score of 8.4, indicating significant potential impact on the system's confidentiality, integrity, and availability if exploited. The local attack vector and the absence of required privileges or user interaction make this vulnerability particularly concerning for affected systems (NVD).

Users are recommended to upgrade to the fixed versions: Apache Tomcat version 11.0.8, 10.1.42, or 9.0.106, which address this vulnerability. These updates implement proper path specifications for icacls.exe during the installation process (Openwall).