CVE-2025-55752 and CVE-2025-55754: Apache Tomcat Vulnerabilities Expose Servers to RCE Attacks

Analysis

In March 2025, CVE-2025-24813 showed how quickly an Apache Tomcat flaw can be weaponized, with mass exploitation observed shortly after disclosure. The newly disclosed CVE-2025-55752 and CVE-2025-55754 follow the same pattern, exposing Tomcat servers to remote code execution (RCE) and admin-tricking scenarios if left unpatched. Tomcat powers hundreds of thousands of Java web applications worldwide, so weaknesses at this layer have broad impact at scale in enterprise and government environments. CVE-2025-55752, rated “Important,” is a regression that enables directory traversal through rewritten URLs, allowing access to normally protected paths such as /WEB-INF/ and /META-INF/. If HTTP PUT is enabled, attackers can upload malicious files and pivot to RCE. CVE-2025-55754, rated “Low,” abuses ANSI escape sequences injected into console logs, creating social-engineering opportunities where administrators are tricked into executing attacker-controlled commands.

Investigation

Both vulnerabilities affect Apache Tomcat 9, 10, and 11 (11.0.0-M1–11.0.10, 10.1.0-M1–10.1.44, 9.0.0-M11–9.0.108) plus selected end-of-life 8.5.x builds (8.5.60–8.5.100). Security teams should first inventory every Tomcat instance, including legacy and shadow IT, and map each server to its exact version and configuration profile. For CVE-2025-55752, investigators need to review URL patterns for path-traversal attempts into /WEB-INF/ or /META-INF/, inspect access logs for unusual PUT requests, unexpected uploads, and newly created files, and compare them against legitimate APIs that use PUT. For CVE-2025-55754, focus on servers that run Tomcat in an interactive console, especially on Windows, hunting for ANSI escape sequences or visual log anomalies and reconstructing admin workflows (clipboard history, copied commands). This work should be backed by broader threat hunting and IOC sweeps across web logs and endpoint telemetry.

Mitigation

If you suspect CVE-2025-55752 or CVE-2025-55754 is being probed or actively exploited:

1. Patch Tomcat: Upgrade all affected instances to Apache Tomcat 11.0.11, 10.1.45, or 9.0.109 (or newer vendor-supported releases), and decommission or replace unsupported 8.5.x builds.
2. Harden HTTP methods: Disable HTTP PUT wherever it isn’t strictly needed. If PUT is required, lock it down to authenticated, well-defined endpoints and enforce tight file-system permissions on upload directories.
3. Review logging and console usage: Do not run production Tomcat in interactive console mode. For dev/test environments that do, sanitize logging settings and train admins on the risk of ANSI escape sequences and copy-paste attacks.
4. Monitor for abuse: Implement alerts for unexpected uploads, configuration changes, and anomalies in application directories, and watch logs for suspicious or malformed requests to core Tomcat paths.

In parallel, continuously scan for vulnerable Tomcat deployments and treat RCE-class Tomcat issues as high-priority in vulnerability management.

Response

If you suspect CVE-2025-55752 or CVE-2025-55754 is being probed or actively exploited:

• Isolate and triage affected servers. Temporarily remove exposed Tomcat instances from the internet or restrict access (e.g., VPN-only) while you investigate.
• Preserve evidence. Collect Tomcat access logs, application logs, system logs, configuration snapshots, and filesystem metadata for webroot and deployment directories.
• Hunt for persistence and web shells. Look for unexpected JSPs, scripts, or binaries in /WEB-INF/, /META-INF/, upload directories, and nearby paths; compare against known-good baselines.
• Review admin actions. For CVE-2025-55754 in particular, check whether administrators copy-pasted commands from consoles that may have contained ANSI-manipulated output, and validate any resulting changes.
• Rebuild from clean sources. Where compromise can’t be ruled out, redeploy Tomcat and applications from trusted images and re-apply hardened, fully patched configurations.
• Update detections and training. Add CVE-2025-55752 / CVE-2025-55754 exploit patterns, suspicious PUT usage, and escape-sequence anomalies to SIEM and EDR, and brief operations teams on safe console and logging practices.