H3-2025-0063

Apache Tomcat Manager Authenticated RCE via WAR Upload

Description

A malicious actor with valid credentials to the Apache Tomcat Manager web application can upload a WAR archive containing a JSP (or platform-specific payload) via the Manager's upload endpoint. Once deployed, the payload can be executed by requesting the deployed application, resulting in remote code execution on the Tomcat host.

Impact

A threat actor who can authenticate to the Tomcat Manager application can deploy and execute arbitrary code on the server with the privileges of the Tomcat process. This provides the ability to run commands, install backdoors, or move laterally within the environment.

References

• Exploit Database
• Rapid7
• CVE-2009-4189 (Tomcat Manager default credentials lead to RCE)
• CWE-434: Unrestricted Upload of File with Dangerous Type