Tomcat CGI RCE on Windows: Enables remote code execution via crafted URL arguments when CGI is enabled. Disable CGI Servlet if not required. Apply patches for Apache Tomcat. Restrict Tomcat deployments from accessing Windows command line utilities via security manager.
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows commands.
Exploit-DB.ai delivers real-time AI-triaged zero-day alerts directly to your inbox.
Activate Supernova →