CVE-2025-55754 is a security vulnerability classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences) affecting Apache Tomcat versions from 8.5.60 through 11.0.10. The flaw arises because Tomcat does not escape ANSI escape sequences in log messages. When Tomcat runs in a Windows console environment that supports ANSI sequences, an attacker can craft URLs containing malicious ANSI escape codes. These sequences can manipulate the console display and clipboard contents, potentially deceiving administrators into executing attacker-controlled commands. The attack vector involves injecting these sequences into log messages, which are then rendered in the console. While no direct exploitation has been documented, the vulnerability theoretically allows social engineering attacks targeting administrators monitoring console logs. The issue affects multiple active and end-of-life Tomcat versions, emphasizing the need for upgrades to fixed releases (11.0.11+, 10.1.45+, 9.0.109+). The vulnerability does not require authentication but does require that the attacker can cause log entries to be generated with crafted URLs and that the administrator views the console output. The scope includes any Tomcat deployment on Windows consoles with ANSI support, with possible but unconfirmed risk on other OSes. This vulnerability highlights the risks of improper input sanitization in logging mechanisms and the potential for indirect command execution through UI manipulation.

For European organizations, the impact of CVE-2025-55754 is significant in environments where Apache Tomcat is deployed on Windows servers with console access. Successful exploitation could lead to administrative command execution through social engineering, compromising system integrity and potentially confidentiality if attackers trick administrators into running malicious commands. This could facilitate further lateral movement, data exfiltration, or disruption of services. Organizations in sectors such as finance, government, healthcare, and critical infrastructure that rely on Tomcat for web applications are particularly at risk. The vulnerability's exploitation does not directly grant code execution but leverages UI manipulation and clipboard control to deceive administrators, increasing the risk of human error. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop techniques to leverage this flaw. The impact on availability is indirect but possible if malicious commands disrupt services. Given the widespread use of Tomcat in Europe, especially in enterprise and public sector deployments, the threat warrants urgent attention.

1. Upgrade Apache Tomcat to the fixed versions: 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later. 2. Restrict console access to trusted administrators only, minimizing exposure to potentially manipulated console outputs. 3. Implement strict URL input validation and sanitization at the application level to prevent injection of malicious escape sequences into logs. 4. Educate administrators about the risks of interacting with console outputs that may contain unexpected or suspicious characters, especially clipboard manipulations. 5. Consider disabling ANSI escape sequence support in Windows consoles used for Tomcat monitoring if feasible. 6. Monitor logs for unusual or suspicious URL patterns that could indicate attempts to inject escape sequences. 7. Employ endpoint security solutions to detect and prevent unauthorized clipboard or command execution activities. 8. For environments where upgrading is delayed, isolate Tomcat consoles from direct administrative access or use remote logging solutions that do not render ANSI sequences. 9. Regularly audit and review Tomcat configurations and access controls to reduce attack surface.