PatchSiren cyber security CVE debrief
CVE-2025-55754 Cert Portal CVE debrief
CVE-2025-55754 is a critical Apache Tomcat issue where unescaped ANSI escape sequences in log messages could be injected through a specially crafted URL. In the documented scenario, this could let an attacker manipulate a Windows console and clipboard and potentially trick an administrator into running an attacker-controlled command. The source advisory also notes no attack vector was found, but it may have been possible on other operating systems. Affected Tomcat ranges include 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.40 through 9.0.108, and known affected EOL 8.5.60 through 8.5.100.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- CRITICAL 9.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Organizations running affected Apache Tomcat releases, especially on Windows systems where Tomcat logs are viewed in an ANSI-capable console. Administrators responsible for exposed Tomcat instances, and teams still using EOL Tomcat 8.5.x builds, should prioritize this immediately.
Technical summary
The flaw is an improper neutralization issue (CWE-150) in Tomcat log handling. Instead of escaping ANSI control sequences before writing log content, Tomcat could pass attacker-supplied escape sequences through to the console. The practical risk described in the advisory is console and clipboard manipulation that could mislead an administrator into executing a malicious command. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, which reflects remote reachability but requires user interaction. The advisory fixes this in Apache Tomcat 11.0.11+, 10.1.45+, and 9.0.109+.
Defensive priority
Immediate
Recommended defensive actions
- Upgrade Apache Tomcat to 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later.
- If you rely on an affected EOL branch such as 8.5.60 through 8.5.100, migrate to a supported fixed release path as soon as possible.
- Treat any Tomcat deployment that writes logs to an interactive console as high risk until patched, especially on Windows with ANSI support enabled.
- Review administrative workflows so operators do not copy or execute commands from console output without validation.
- Use the linked vendor and CISA advisories to confirm affected product lines and any environment-specific remediation guidance.
Evidence notes
The source advisory explicitly states that Tomcat did not escape ANSI escape sequences in log messages and that specially crafted URLs could inject control sequences. It also states no attack vector was found, while noting the possibility of impact on other operating systems. The advisory was republished by CISA from Siemens ProductCERT content. Source metadata contains a product/vender mismatch ('Siemens SIMATIC CN 4100 vers:intdot/<5.0') versus an Apache Tomcat description, so the product mapping should be treated cautiously; the vulnerability details themselves consistently describe Apache Tomcat.
Official resources
-
CVE-2025-55754 CVE record
CVE.org
-
CVE-2025-55754 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CVE published 2026-05-12 and modified 2026-05-14, matching the source advisory timeline. This debrief uses the advisory date context provided and does not infer a different issue date from publication or review timing.