PatchSiren cyber security CVE debrief
CVE-2025-55752 Cert Portal CVE debrief
CVE-2025-55752 is a high-severity Apache Tomcat relative path traversal issue caused by a regression in URL rewrite handling: the rewritten URL was normalized before it was decoded. Under specific rewrite-rule configurations, an attacker could manipulate the request URI to bypass security constraints such as /WEB-INF/ and /META-INF/. If PUT is also enabled, the issue can escalate to malicious file upload and potential remote code execution. The supplied source corpus republishes this in a Siemens/CISA advisory context, but the technical flaw described is Tomcat-centric and should be validated against your actual deployment.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Administrators and security teams running affected Apache Tomcat versions, especially deployments that use rewrite rules which map query parameters into the URL and any environment where PUT requests are enabled. Also review products or appliances that embed Tomcat, including the Siemens advisory context in the supplied source corpus, and treat EOL Tomcat versions as potentially affected until verified.
Technical summary
The regression introduced by the fix for bug 60013 changed request processing so the rewritten URL was normalized before decoding. For rewrite rules that move query parameters into the URL, this could let an attacker influence path handling enough to bypass protected areas like /WEB-INF/ and /META-INF/. The issue affects Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.0.M11 through 9.0.108; EOL versions 8.5.6 through 8.5.100 were also noted as affected. The CVE notes that PUT must also be enabled for the path to file-upload-to-RCE impact, which makes exploitation less likely but still serious in the right configuration.
Defensive priority
High, with configuration-dependent exposure.
Recommended defensive actions
- Upgrade Apache Tomcat to 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later.
- Review rewrite rules for any logic that copies query parameters into the URL and remove or constrain that behavior where possible.
- Disable or tightly restrict HTTP PUT unless it is explicitly required and authenticated.
- Audit access controls protecting /WEB-INF/ and /META-INF/ and verify they are not bypassable in your current configuration.
- Inventory embedded or bundled Tomcat instances, including EOL branches, and confirm whether they inherit the vulnerable rewrite behavior.
- If you are following the Siemens advisory context in the supplied source corpus, apply the vendor remediation guidance to SIMATIC CN 4100 versions at V5.0 or later per the referenced advisory.
Evidence notes
Supplied timeline shows CVE published 2026-05-12 and modified 2026-05-14; those dates are used here for disclosure timing. The source corpus is internally mixed: the CISA CSAF container and Siemens references present an OT advisory wrapper, while the vulnerability description itself is Apache Tomcat CVE-2025-55752. The advisory states affected Tomcat ranges of 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and EOL 8.5.6 through 8.5.100; exploit impact depends on rewrite-rule behavior and enabled PUT. No KEV entry was supplied.
Official resources
-
CVE-2025-55752 CVE record
CVE.org
-
CVE-2025-55752 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory data in the supplied corpus; CVE published 2026-05-12 and modified 2026-05-14. No exploit code or weaponized reproduction details included.