CVE-2025-49124 is a high-severity vulnerability identified in the Apache Tomcat installer for Windows platforms. The root cause is an untrusted search path issue (CWE-426) during the installation process. Specifically, the Tomcat installer invokes the Windows utility icacls.exe without specifying its full filesystem path. This behavior can allow an attacker to place a malicious executable named icacls.exe earlier in the system's PATH environment variable, causing the installer to execute the attacker's code instead of the legitimate Windows utility. The vulnerability affects Apache Tomcat versions 11.0.0-M1 through 11.0.7, 10.1.0 through 10.1.41, and 9.0.23 through 9.0.105, including potentially older end-of-life versions. The impact of this vulnerability is critical because it can lead to arbitrary code execution with the privileges of the user running the installer, potentially resulting in full system compromise. The CVSS v3.1 score is 8.4, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity, no privileges required, and no user interaction needed beyond running the installer. The issue is resolved in Apache Tomcat versions 11.0.8, 10.1.42, and 9.0.106, where the installer specifies the full path to icacls.exe, mitigating the untrusted search path risk. No known exploits are currently reported in the wild, but the nature of the vulnerability makes it a significant risk especially in environments where Windows-based Tomcat installations are performed.

For European organizations, this vulnerability poses a substantial risk particularly to those deploying Apache Tomcat on Windows servers or workstations. Successful exploitation could allow attackers to execute arbitrary code during installation, potentially leading to full system compromise, data breaches, or disruption of critical services. Given Apache Tomcat's widespread use in enterprise web applications, including government, finance, healthcare, and industrial sectors across Europe, the impact could extend to sensitive personal data, intellectual property, and operational continuity. The vulnerability's exploitation does not require user interaction beyond running the installer, increasing the risk in environments where software installation is performed without strict controls. Additionally, compromised systems could be used as footholds for lateral movement within corporate networks, amplifying the threat. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency for patching.

European organizations should immediately verify their Apache Tomcat installations on Windows platforms and upgrade to the fixed versions 11.0.8, 10.1.42, or 9.0.106 as appropriate. Where immediate upgrade is not feasible, organizations should implement the following mitigations: (1) Restrict software installation privileges to trusted administrators only to prevent unauthorized execution of the vulnerable installer. (2) Prior to installation, verify the integrity and authenticity of the Tomcat installer using official checksums and signatures to avoid tampered installers. (3) Audit and sanitize the system PATH environment variable to ensure no untrusted directories precede system32 or other Windows system folders, preventing malicious icacls.exe from being invoked. (4) Employ application whitelisting or endpoint protection solutions that can detect or block execution of unauthorized binaries during installation. (5) Monitor installation activities and system logs for anomalies indicating potential exploitation attempts. (6) Educate IT staff on the risks of untrusted search path vulnerabilities and secure installation best practices. These targeted mitigations reduce the risk of exploitation while patch deployment is planned and executed.