VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 16, 2025· Updated Oct 29, 2025

Apache Tomcat: exe side-loading via icalcs.exe in Tomcat installer for Windows

CVE-2025-49124

Description

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat installer for Windows calls icacls.exe without a full path, enabling untrusted search path attacks during installation.

Vulnerability

Details

The Apache Tomcat installer for Windows invokes icacls.exe without specifying a full path, creating an untrusted search path vulnerability [1][2][3][4]. During installation, the installer relies on the system's PATH environment variable to locate icacls.exe. If an attacker can place a malicious executable named icacls.exe in a directory that appears earlier in the search order than the legitimate system directory, the installer will execute the attacker's binary instead.

Exploitation

Exploitation requires local access to the system or the ability to write to a directory that is earlier in the PATH than %SystemRoot%\system32. No authentication beyond local user privileges is needed. The vulnerability is triggered during the installation process, which typically runs with elevated privileges.

Impact

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the installer process, often leading to privilege escalation or full system compromise.

Mitigation

Apache has released fixed versions: Tomcat 11.0.8, 10.1.42, and 9.0.106 [1][2][3]. Users are advised to upgrade. No workaround is documented. End-of-life versions (8.5.x and 7.0.x) remain vulnerable and should be upgraded to a supported branch.

References
  1. Apache Tomcat® - Apache Tomcat 9 vulnerabilities
  2. Apache Tomcat® - Apache Tomcat 10 vulnerabilities
  3. Apache Tomcat® - Apache Tomcat 11 vulnerabilities
  4. NVD - CVE-2025-49124

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M1, < 11.0.811.0.8
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.0, < 10.1.4210.1.42
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.23, < 9.0.1069.0.106
org.apache.tomcat:tomcatMaven
>= 11.0.0-M1, < 11.0.811.0.8
org.apache.tomcat:tomcatMaven
>= 10.1.0, < 10.1.4210.1.42
org.apache.tomcat:tomcatMaven
>= 9.0.23, < 9.0.1069.0.106
org.apache.tomcat:tomcat-catalinaMaven
>= 11.0.0-M1, < 11.0.811.0.8
org.apache.tomcat:tomcat-catalinaMaven
>= 10.1.0, < 10.1.4210.1.42
org.apache.tomcat:tomcat-catalinaMaven
>= 9.0.23, < 9.0.1069.0.106

Affected products

6

Patches

3
28726cc2e63b

Use the full path when calling icacls.exe

https://github.com/apache/tomcatMark ThomasJun 4, 2025via ghsa
commit
2 files changed · +7 3
  • res/install-win/tomcat.nsi+3 3 modified
    @@ -379,7 +379,7 @@ Section -post
   ; S-1-5-11     Authenticated users
   ;
   ; Grant admins, LocalService and Local System full control full control
-  nsExec::ExecToStack 'icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetGroupPermissionsOk
@@ -392,7 +392,7 @@ Section -post
   ClearErrors
 
   ; Make the icon readable to all authenticated users so it appears correctly in the uninstall UI
-  nsExec::ExecToStack 'icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetIconPermissionsOk
@@ -405,7 +405,7 @@ Section -post
   ClearErrors
 
   ; Make the uninstaller readable and executable to all authenticated users so the user that installed Tomcat can also uninstall it
-  nsExec::ExecToStack 'icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetUninstallerPermissionsOk
  • webapps/docs/changelog.xml+4 0 modified
    @@ -193,6 +193,10 @@
         <code>service.bat</code>. Pull request provided by Markus Hoffrogge.
         (markt)
       </add>
+      <fix>
+        Use the full path when the installer for Windows sets calls
+        <code>icacls.exe</code> to set file permissions. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>
c56456cda815

Use the full path when calling icacls.exe

https://github.com/apache/tomcatMark ThomasJun 4, 2025via ghsa
commit
2 files changed · +7 3
  • res/install-win/tomcat.nsi+3 3 modified
    @@ -368,7 +368,7 @@ Section -post
   ; S-1-5-11     Authenticated users
   ;
   ; Grant admins, LocalService and Local System full control full control
-  nsExec::ExecToStack 'icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetGroupPermissionsOk
@@ -381,7 +381,7 @@ Section -post
   ClearErrors
 
   ; Make the icon readable to all authenticated users so it appears correctly in the uninstall UI
-  nsExec::ExecToStack 'icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetIconPermissionsOk
@@ -394,7 +394,7 @@ Section -post
   ClearErrors
 
   ; Make the uninstaller readable and executable to all authenticated users so the user that installed Tomcat can also uninstall it
-  nsExec::ExecToStack 'icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetUninstallerPermissionsOk
  • webapps/docs/changelog.xml+4 0 modified
    @@ -195,6 +195,10 @@
       <update>
         Update Checkstyle to 10.25.0. (markt)
       </update>
+      <fix>
+        Use the full path when the installer for Windows sets calls
+        <code>icacls.exe</code> to set file permissions. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>
e0e07812224d

Use the full path when calling icacls.exe

https://github.com/apache/tomcatMark ThomasJun 4, 2025via ghsa
commit
2 files changed · +7 3
  • res/install-win/tomcat.nsi+3 3 modified
    @@ -379,7 +379,7 @@ Section -post
   ; S-1-5-11     Authenticated users
   ;
   ; Grant admins, LocalService and Local System full control full control
-  nsExec::ExecToStack 'icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR" /inheritance:r /grant *S-1-5-19:(OI)(CI)(F) /grant *S-1-5-32-544:(OI)(CI)(F) /grant *S-1-5-18:(OI)(CI)(F)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetGroupPermissionsOk
@@ -392,7 +392,7 @@ Section -post
   ClearErrors
 
   ; Make the icon readable to all authenticated users so it appears correctly in the uninstall UI
-  nsExec::ExecToStack 'icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\tomcat.ico" /inheritance:e /grant *S-1-5-11:(R)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetIconPermissionsOk
@@ -405,7 +405,7 @@ Section -post
   ClearErrors
 
   ; Make the uninstaller readable and executable to all authenticated users so the user that installed Tomcat can also uninstall it
-  nsExec::ExecToStack 'icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
+  nsExec::ExecToStack '$SYSDIR\icacls "$INSTDIR\Uninstall.exe" /inheritance:e /grant *S-1-5-11:(RX)'
   Pop $0
   Pop $1
   StrCmp $0 "0" SetUninstallerPermissionsOk
  • webapps/docs/changelog.xml+4 0 modified
    @@ -191,6 +191,10 @@
       <update>
         Update Checkstyle to 10.25.0. (markt)
       </update>
+      <fix>
+        Use the full path when the installer for Windows sets calls
+        <code>icacls.exe</code> to set file permissions. (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.