What is CVE-2025-55752?
CVE-2025-55752 is a path traversal vulnerability in Apache Tomcat. It comes from a regression introduced during a past bug fix. Because of this flaw, Tomcat normalizes URLs before decoding them, which lets attackers craft requests that bypass access controls and reach restricted directories like /WEB-INF/ and /META-INF/.
In deployments where HTTP PUT is enabled, an attacker could upload files through this path and potentially gain remote code execution (RCE). While this is not a “plug-and-play” exploit, the right configuration conditions can make it dangerous for exposed Tomcat workloads.
Affected versions include:
- Tomcat 11.0.0-M1 through 11.0.10
- Tomcat 10.1.0-M1 through 10.1.44
- Tomcat 9.0.0-M11 through 9.0.108
- Some EOL builds may also be impacted
This issue is serious because Tomcat is widely used in enterprise web apps and middleware. Even a small number of exposed vulnerable instances can create major risk.
What assets are affected by CVE-2025-55752?
Systems running the affected versions of Tomcat are at risk, especially when:
- Rewrite rules are enabled
- HTTP PUT is allowed
- The server is internet-facing or reachable from untrusted networks
- Legacy or unmaintained Tomcat deployments are present
- File upload functionality exists on the application
Shadow IT and forgotten servers often fall into this category. These tend to carry the highest exposure because they are rarely monitored or patched on time.
Are fixes available?
Yes. Apache patched the issue in the following versions:
- Tomcat 11.0.11 and above
- Tomcat 10.1.45 and above
- Tomcat 9.0.109 and above
If patching is delayed, temporary steps include disabling PUT, reviewing rewrite rules, controlling access to upload endpoints, and increasing monitoring for suspicious upload behavior. These are short-term measures, not substitutes for updating.
Are there any other recommended actions to take?
Security teams should:
- Map all Tomcat servers across their environment
- Check version numbers and configuration settings
- Confirm whether rewrite rules and PUT are used
- Prioritize external-facing systems
- Monitor logs for path traversal attempts or unexpected uploads
- Validate that patches are applied correctly after updates
- Ensure partners and third-party vendors patch their Tomcat systems
This vulnerability should be included in threat-hunting and incident response playbooks for exposed web services.
Is CVE-2025-55752 being actively exploited?
At this time, public intelligence indicates that exploitation is possible but not yet widespread. Security researchers have published proof-of-concept code, and the Belgian Centre for Cybersecurity has warned that exploitation attempts are likely in the near future. EPSS scoring currently reflects a low but non-zero likelihood of exploitation, meaning the threat is real and could escalate as attackers begin scanning for exposed Tomcat systems.
While this vulnerability requires specific configurations to be fully exploitable, the combination of available PoC code and Tomcat’s broad enterprise footprint makes early action essential. Organizations should treat this as a priority vulnerability, monitor for suspicious activity, and patch affected systems as soon as possible.
How is CyCognito helping customers identify assets vulnerable to CVE-2025-55752?
CyCognito continuously discovers and analyzes externally exposed assets to help organizations understand whether CVE-2025-55752 may affect their environment. The platform identifies at-risk systems, highlights configurations that raise exploitability, and prioritizes remediation based on business importance.
CyCognito published an emerging threat advisory within the CyCognito platform on November 2, 2025 and is actively researching enhanced detection capabilities for this vulnerability. The platform already surfaces exposed assets tied to this technology stack, and CyCognito advises customers to review any systems running Apache Tomcat and related web services to assess potential exposure, even if they are not explicitly identified as running the vulnerable versions.
Check out CyCognito’s Emerging Threats page for more information on potentially relevant vulnerabilities.
How can CyCognito help your organization?
CyCognito gives security teams a clear view of every external asset, including systems they may not know exist. That visibility makes it easier to find Tomcat servers and understand which ones are vulnerable and exposed. Instead of working through large, noisy alert lists, teams see which systems matter most based on business impact and real-world exploit paths.
CyCognito then helps verify that the issue is fixed and continues watching for changes, so newly exposed systems don’t slip by. This helps organizations move faster, cut risk confidently, and stay ahead of attackers instead of responding after the fact.
To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
