CVE-2025-49124 is an untrusted search path vulnerability classified under CWE-426, affecting the Apache Tomcat installer for Windows. During installation, the Tomcat installer invokes the Windows utility icacls.exe without specifying its absolute path. This allows an attacker with local access to place a malicious icacls.exe executable in a directory that appears earlier in the system's PATH environment variable. When the installer runs, it executes the attacker's malicious binary instead of the legitimate system utility. This can lead to arbitrary code execution with the privileges of the user running the installer, potentially escalating to full system compromise. The vulnerability affects Apache Tomcat versions from 11.0.0-M1 through 11.0.7, 10.1.0 through 10.1.41, 9.0.23 through 9.0.105, and older EOL versions such as 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. The CVSS v3.1 base score is 8.4 (high severity), reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges or user interaction required. The issue is resolved in Apache Tomcat versions 11.0.8, 10.1.42, and 9.0.106. No known exploits have been reported in the wild yet, but the vulnerability represents a significant risk especially in environments where local access can be obtained by attackers or malicious insiders. The root cause is the failure to specify a fully qualified path to icacls.exe, a common Windows system utility used to modify access control lists, during the installation process. This oversight allows attackers to hijack the execution flow during installation, a critical phase where elevated privileges are often granted.

For European organizations, this vulnerability poses a serious risk especially in environments where Apache Tomcat is installed or upgraded on Windows systems. Successful exploitation can lead to arbitrary code execution with the privileges of the installer, potentially allowing attackers to escalate privileges, install persistent malware, or disrupt services. This can compromise sensitive data confidentiality, integrity, and availability of critical applications running on Tomcat. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely on Apache Tomcat for web services are particularly vulnerable. The local access requirement limits remote exploitation but insider threats or attackers who gain initial foothold on internal networks can leverage this vulnerability to deepen their control. The lack of user interaction requirement further increases risk, as exploitation can be automated once local access is achieved. Given the widespread use of Apache Tomcat across Europe, failure to patch could lead to significant operational disruptions and data breaches.

European organizations should immediately verify their Apache Tomcat versions and upgrade to the fixed releases: 11.0.8, 10.1.42, or 9.0.106. For EOL versions still in use, consider upgrading to supported versions or applying manual mitigations such as ensuring the Windows PATH environment variable does not include untrusted directories before system32, and restricting write permissions on directories included in the PATH to prevent malicious executable placement. Employ application whitelisting to block unauthorized executables from running, especially in installation contexts. Limit local administrative privileges and monitor for suspicious file creation or execution during installation processes. Conduct regular audits of system PATH variables and installed software to detect anomalies. Additionally, educate IT staff about the risks of installing software from untrusted sources or locations. Implement endpoint detection and response (EDR) solutions to detect attempts to exploit untrusted search path vulnerabilities. Finally, maintain a robust patch management process to ensure timely application of security updates.