CVE-2025-49124 is a high-severity vulnerability classified under CWE-426 (Untrusted Search Path) affecting multiple versions of the Apache Tomcat server on Windows platforms. The vulnerability arises from the Tomcat installer invoking the Windows utility icacls.exe without specifying its full path during installation. This improper handling of the executable path can allow an attacker to place a malicious icacls.exe in a directory that is searched before the legitimate system directory, causing the installer to execute the attacker's code instead of the genuine utility. This can lead to arbitrary code execution with the privileges of the user running the installer. The affected versions span from early milestone releases (11.0.0-M1) through 11.0.7, 10.1.0 through 10.1.41, and 9.0.23 through 9.0.105, as well as older end-of-life versions 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. The vulnerability is rated with a CVSS v3.1 score of 8.4, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are reported in the wild yet, the nature of the vulnerability makes it a significant risk during installation or upgrade processes on Windows systems. The recommended remediation is to upgrade to fixed versions 11.0.8, 10.1.42, or 9.0.106 where the installer correctly specifies the full path to icacls.exe, mitigating the untrusted search path issue.

For European organizations, this vulnerability poses a substantial risk particularly during the installation or upgrade of Apache Tomcat on Windows servers. Since Tomcat is widely used across Europe for hosting Java-based web applications, exploitation could lead to unauthorized code execution, potentially allowing attackers to install backdoors, escalate privileges, or disrupt services. The impact extends to confidentiality breaches (data theft), integrity violations (tampering with application code or data), and availability disruptions (service outages). Given that the attack vector is local, the threat is most relevant in environments where attackers have some level of access, such as compromised internal networks, malicious insiders, or through social engineering to convince administrators to run compromised installers. The lack of required privileges and user interaction increases the risk in scenarios where installation is automated or performed by less security-aware personnel. European organizations with critical infrastructure, financial services, government, and large enterprises relying on Tomcat for web services could face significant operational and reputational damage if exploited. Additionally, compliance with GDPR and other data protection regulations could be jeopardized if personal data is exposed or manipulated due to this vulnerability.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately upgrade Apache Tomcat installations on Windows to versions 11.0.8, 10.1.42, or 9.0.106 or later, which contain the fix specifying the full path to icacls.exe. 2) Implement strict controls over the installation environment, ensuring that only trusted directories are in the system PATH during installation to prevent malicious executables from being loaded. 3) Use application whitelisting and endpoint protection solutions to detect and block unauthorized executables, especially in directories that could be used for path hijacking. 4) Conduct thorough audits of installation procedures and scripts to verify that no untrusted paths are used when invoking system utilities. 5) Train IT staff and administrators on the risks of untrusted search paths and the importance of verifying installer integrity before execution. 6) Consider deploying Tomcat on non-Windows platforms or containerized environments where possible to reduce exposure to Windows-specific path hijacking risks. 7) Monitor logs and system behavior during and after installation for signs of suspicious activity or unexpected process execution. These measures, combined with timely patching, will significantly reduce the risk posed by this vulnerability.