## Apache Tomcat Windows Installer Contains Untrusted Search Path Vulnerability (CVE-2025-49124) A moderate-severity vulnerability in the Apache Tomcat installer for Windows exposes systems to potential local privilege escalation. The flaw, tracked as CVE-2025-49124 (GHSA-42wg-hm62-jcwg), is an untrusted search path issue. During installation, the installer calls the system utility `icacls.exe` without specifying its full path. This creates a window for a local attacker to place a malicious executable with the same name in a directory that is searched before the legitimate Windows system directory. If successful, the attacker's code would execute with the installer's privileges. The vulnerability affects a wide range of Tomcat versions on the Windows platform. Specifically, it impacts Apache Tomcat from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, and from 9.0.23 through 9.0.105. This spans the current major release branches, indicating the vulnerability was introduced into the Windows installer script and persisted for multiple release cycles. The Common Weakness Enumeration (CWE) identifier is CWE-426, which classifies it as an 'Untrusted Search Path' flaw. The Apache Tomcat project has released patched versions to remediate the issue. Users are strongly advised to upgrade to Tomcat version 11.0.8, 10.1.42, or 9.0.106, depending on their branch. While the CVSS score is not yet formally assigned, the 'MODERATE' severity rating suggests the risk is contingent on an attacker having some level of pre-existing local access to the target machine. However, for organizations deploying Tomcat on Windows servers, this vulnerability adds a tangible attack vector that could be chained with other exploits, undermining server security postures that rely on Tomcat's widespread use in enterprise Java applications. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: vulnerability, CVE-2025-49124, Apache Tomcat, Windows, privilege escalation - **Credibility**: unverified - **Published**: 2026-04-14 02:22:43 - **ID**: 62940 - **URL**: https://whisperx.ai/en/intel/62940