CVE-2025-55754 is a critical security vulnerability classified under CWE-150, which involves improper neutralization of escape, meta, or control sequences in Apache Tomcat. Specifically, Tomcat failed to escape ANSI escape sequences in log messages. When Tomcat runs in a Windows console environment that supports ANSI escape sequences, an attacker can craft a malicious URL that injects these sequences into the logs. This injection can manipulate the console display and clipboard contents, potentially deceiving an administrator into executing commands controlled by the attacker. The vulnerability affects Apache Tomcat versions from 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.40 through 9.0.108, as well as end-of-life versions 8.5.60 through 8.5.100. Although no direct attack vectors have been confirmed on non-Windows systems, the possibility exists. The vulnerability does not require authentication but does require user interaction, such as an administrator viewing the manipulated logs in a vulnerable console. The issue was publicly disclosed on October 27, 2025, with Apache recommending upgrades to versions 11.0.11 or later, 10.1.45 or later, and 9.0.109 or later to remediate the flaw. The CVSS v3.1 score is 9.6 (critical), indicating a high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed due to potential command execution.

The vulnerability poses a significant risk to organizations running affected Apache Tomcat versions on Windows consoles. Successful exploitation can lead to manipulation of the administrator's console and clipboard, potentially tricking them into executing attacker-controlled commands. This can result in full system compromise, data theft, unauthorized access, and disruption of services. Since Tomcat is widely used in enterprise web applications, the impact spans multiple industries including finance, healthcare, government, and technology sectors. The critical CVSS score reflects the potential for complete loss of confidentiality, integrity, and availability. Additionally, the attack requires no privileges, increasing the attack surface. Although no known exploits are currently active, the ease of exploitation and the high impact make this a severe threat. Organizations that do not promptly patch may face targeted attacks leveraging social engineering to escalate privileges or deploy malware.

Organizations should immediately upgrade Apache Tomcat to versions 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later to apply the official patches that neutralize ANSI escape sequences in logs. Until upgrades can be performed, administrators should avoid running Tomcat in Windows consoles that support ANSI escape sequences or disable ANSI support in the console environment if possible. Logging configurations should be reviewed to limit exposure to untrusted input in logs. Additionally, administrators should be trained to recognize suspicious console behavior and avoid executing commands based on manipulated log content or clipboard data. Implementing strict access controls and monitoring for unusual command execution patterns can help detect exploitation attempts. Employing endpoint protection solutions that monitor clipboard and console activities may provide additional defense. Regular audits of Tomcat versions and patch levels across the infrastructure are essential to ensure timely remediation.