CVE-2025-55752 and CVE-2025-55754: Apache Tomcat Vulnerabilities Expose Servers to RCE Attacks

In March 2025, CVE-2025-24813 served as a stark reminder of how quickly a critical Apache Tomcat vulnerability can turn into an active threat. Less than 30 hours after its disclosure, attackers were already exploiting unsafe deserialization to execute code remotely, taking control of unpatched servers. Now, just months later, a duo of new vulnerabilities (CVE-2025-55752, CVE-2025-55754) has been brought to the spotlight, once again opening the door to RCE attacks.

Apache Tomcat is a free open-source Java servlet container that hosts Java-based web apps and implements Java Servlet and JavaServer Pages (JSP) specifications. It powers hundreds of thousands of websites and enterprise systems worldwide, including government agencies, large corporations, and critical infrastructure. Yet, such widespread use of open-source software brings a serious layer of concern. According to the 2025 Open Source Security and Risk Analysis (OSSRA) Report, 86% of commercial codebases evaluated contained open-source software vulnerabilities, and 81% of those contained high- or critical-risk vulnerabilities.

Sign up for the SOC Prime Platform to access the global active threats feed, which offers real-time cyber threat intelligence and curated detection algorithms to address emerging threats, like flaws in open-source software. All the rules are compatible with multiple SIEM, EDR, and Data Lake formats and mapped to the MITRE ATT&CK® framework. Additionally, each rule is enriched with CTI links, attack timelines, audit configurations, triage recommendations, and more relevant context. Press the Explore Detections button to see the entire detection stack for proactive defense against critical vulnerabilities filtered by the “CVE” tag.

Explore Detections

Additionally, security experts might streamline threat investigation using Uncoder AI, a private IDE & co-pilot for threat-informed detection engineering. Generate detection algorithms from raw threat reports, enable fast IOC sweeps, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.

CVE-2025-55752 and CVE-2025-55754 Analysis

On October 27, 2025, the Apache Software Foundation confirmed two novel vulnerabilities affecting Apache Tomcat versions 9, 10, and 11. 

Of the two newly reported flaws, CVE-2025-55752 is considered the more severe, earning an “Important” rating. This vulnerability emerged from a regression during the resolution of a previous bug (bug 60013) and allows attackers to exploit directory traversal through rewritten URLs. By crafting request URIs that are normalized before decoding, malicious actors can potentially bypass Tomcat’s built-in protections for critical directories, including /WEB-INF/ and /META-INF/. The risk escalates if HTTP PUT requests are enabled, as attackers could upload malicious files, potentially leading to remote code execution on the server. However, in most production setups, PUT requests are restricted to trusted users, which limits the likelihood of immediate exploitation.

The second flaw,  CVE-2025-55754, carries a “Low” severity rating but remains noteworthy. It stems from Tomcat’s inadequate handling of ANSI escape sequences in console logs. When running in a console environment (particularly on Windows systems) attackers can send specially crafted URLs that inject escape sequences into log output. These sequences can manipulate the console display or clipboard contents, creating opportunities to trick administrators into executing unintended actions. While primarily observed on Windows, similar attack vectors could exist on other platforms, broadening the potential impact of this vulnerability.

CVE-2025-55752 and CVE-2025-55754 Mitigation

The vulnerabilities impact Apache Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0-M11 through 9.0.108, plus some EOL versions like 8.5.60 to 8.5.100.​

To address these issues, administrators should upgrade to the patched releases—Tomcat 11.0.11, 10.1.45, and 9.0.109—and verify all deployed instances to ensure no affected versions remain in use. 

Additional mitigation measures include disabling or restricting HTTP PUT requests unless strictly necessary, reviewing console and logging configurations (especially on Windows systems), and actively monitoring for unusual activity, such as unexpected file uploads or suspicious log entries. By taking these steps, organizations can significantly reduce the risk of exploitation and maintain the security and stability of their web applications and critical infrastructure.

Enhancing proactive cyber defense strategies is crucial for organizations to effectively and promptly reduce the risks of vulnerability exploitation. By leveraging SOC Prime’s complete product suite for enterprise-ready security protection backed by top cybersecurity expertise and AI, and built on zero-trust milestones, global organizations can future-proof defenses at scale and strengthen their cybersecurity posture.