Patched but Still Vulnerable - Apache Tomcat Continues to Have Dangerous Backdoor

Overview

At the end of October 2025, the Apache Software Foundation team announced two critical CVE vulnerabilities affecting multiple versions of Apache Tomcat. One of these vulnerabilities poses a high risk of remote code execution on vulnerable servers.

The two vulnerabilities announced are: CVE-2025-55752 and CVE-2025-55754

• CVE-2025-55752: A Directory Traversal vulnerability leading to the possibility of RCE (Remote Code Execution) under certain configurations.

• CVE-2025-55754: A vulnerability related to the incorrect handling of ANSI escape sequences in logs/consoles, leading to the possibility of console manipulation—less dangerous but still significant.

These vulnerabilities are highly risky because Tomcat is often used in enterprise environments with many critical web applications. This means that if exploited, servers could be taken over or used as a springboard for further attacks.

Affected Versions

The affected versions include:

• From 9.0.0-M11 to 9.0.108.

• From 10.1.0-M1 to 10.1.44.

• From 11.0.0-M1 to 11.0.10.

• Versions 8.5.6 to 8.5.100 (EOL – End of Life) are also identified as affected.

Description of the Vulnerability

1. CVE-2025-55752

   • Vulnerability ID: CVE-2025-55752.

   • CVSS Score: 7.5/10, indicating a high severity level.

   • Attack Mechanism: This vulnerability may allow an attacker to perform Path Traversal, disclose sensitive information, or corrupt data.

   • Impact: There is a potential for remote exploitation and risk of RCE.

2. CVE-2025-55754

   • Vulnerability ID: CVE-2025-55754.

   • CVSS Score: 9.6/10, indicating a high severity level.

   • Attack Mechanism: Vulnerability due to Improper Neutralization of Escape, Meta, or Control Sequences in Apache Tomcat.

   • Impact: Potential for remote exploitation and risk of RCE.

Details of the Vulnerability

First, we need to understand the origin of these two serious vulnerabilities. A previous patch for bug 60013 changed the order of processing URL strings: Tomcat now normalizes a rewritten URL string before decoding percent-encoded characters. As a result, an attacker can send a URI encoded in a way that makes the "protected" part (e.g., /WEB-INF/) "hidden" when normalized, allowing them to bypass path-based access checks.

Another factor needed to exploit the vulnerability is that RewriteValve must be enabled. RewriteValve is a Tomcat Valve that provides URL rewriting functionality similar to Apache HTTPD's mod_rewrite.

Now let's go into the details of this campaign. First, attackers will need to find targets by checking if the server has Tomcat and if RewriteValve is enabled (or if there are rewrite rules). Additionally, attackers will check if the server allows write methods like PUT or has any upload endpoints. The main goal of this step is to find a way to write a file (e.g., JSP) into a protected location (like /WEB-INF/) or into the webroot so that it can be executed.

The next step for the attacker is to prepare the Payload. The Payload is usually a file with content that can confirm access (e.g., returning an identifying string). The specific harmful content is not described. The goal is for the file to be accessible/executed if written into the webapp location.

Next, the attacker will use an upload method (PUT, POST to an upload endpoint, or upload through rewrite) to try to save the file to a path within the webapp domain.

Of course, all vulnerabilities require bypassing the filtering systems, and here the attacker will perform a path check bypass.

First, the attacker will send a request to query the uploaded file but attach a URI string/format so that Tomcat's path check sees a "safe" path (for example, not containing /WEB-INF/) after normalization before decoding. However, after the server decodes, it actually becomes /WEB-INF/<file> — if the server serves that file, the bypass is successful.

Finally, if the file is server-side code (e.g., JSP) and can be accessed, the attacker can execute code or use the file for further attacks. When the Payload is delivered, it can manipulate the display console and clipboard content. This poses a risk of tricking system administrators into executing commands controlled by the attacker.

Conclusion

The vulnerabilities CVE-2025-55752 and CVE-2025-55754 show that even widely used platforms like Tomcat can be affected by regression (fixing a previous bug creates a new vulnerability) and small but dangerous details (like ANSI escape sequences) that can be exploited by attackers. Organizations that assume "Tomcat is a stable platform" and do not check configurations or patch in a timely manner are paving the way for attacks.

Recommendations

1. Update Tomcat Immediately

   • Upgrade to the patched versions: 9.0.109+, 10.1.45+, 11.0.11+ (or newer versions recommended by the vendor). This is the surest way to eliminate the regression causing the vulnerability.

   • Apache Tomcat® - Apache Tomcat 11 vulnerabilities

2. If you cannot upgrade right away

   • Disable or remove RewriteValve on instances using it. Open the server.xml / context.xml / configuration file where you have <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" .../> and comment it out or remove it.

   • Disable (or block) HTTP PUT if you are not using uploads via PUT.

References

1. Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks

2. Apache Tomcat CVE-2025-55752, 55754 Security Flaws

3. GitHub - TAM-K592/CVE-2025-55752: CVE-2025-55752, Apache Tomcat that allows directory traversal via URL rewrite, and under certain conditions, leads to remote code execution (RCE) if HTTP PUT is enabled.