Critical

ANSI escape sequence injection in Apache Tomcat log messages

IdentifiersCVE-2025-55754CWE-150· Improper Neutralization of Escape,…

CVE-2025-55754 is an improper neutralization of escape, meta, or control sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. An attacker could supply a specially crafted URL containing ANSI escape/control sequences that would be written to logs and rendered by an ANSI-capable console. When Tomcat was running in a console on Windows, and that console supported ANSI escape sequences, this could allow manipulation of console output and the clipboard, creating conditions to socially engineer an administrator into executing an attacker-controlled command. The issue affects Apache Tomcat 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, and 9.0.40 through 9.0.108. Apache also noted affected EOL versions 8.5.60 through 8.5.100, and older unsupported versions may also be affected.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to inject ANSI escape sequences into Tomcat log output, enabling console and clipboard manipulation in environments where the logs are viewed in an ANSI-capable interactive console. The primary impact is indirect but potentially severe: an administrator may be deceived into pasting or executing attacker-controlled commands. This can lead to compromise of confidentiality, integrity, and availability depending on the privileges of the targeted administrator and the commands executed. The provided content notes no confirmed practical attack vector was found, but the risk was considered critical and may not be limited to Windows.

Mitigation

If you can’t patch tonight, do this now.

Until patches can be applied, avoid running Tomcat in an interactive ANSI-capable console, especially on Windows. Restrict administrator exposure to raw console log output, prefer logging to files or centralized logging systems that do not interpret ANSI control sequences, and reduce logging of untrusted request components where operationally feasible. Monitor for suspicious request URLs containing escape/control characters and review administrative procedures to reduce the chance of copy/paste or command-execution social engineering from console output.

Remediation

Patch, then assume compromise.

Upgrade Apache Tomcat to a fixed version: 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later. For deployments on unsupported branches such as 8.5.x, move to a supported fixed release because EOL versions do not receive ongoing security support. In downstream products embedding Tomcat, apply the vendor-supplied update that incorporates these Tomcat fixes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationTomcatapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

27 SOURCESView more in app

checkpoint research blogNews

Dec 15, 2025

15th December - Threat Intelligence Report - Check Point Research

High-severity vulnerabilities affecting SAP Commerce Cloud’s Tomcat component (CVSS 9.6) with patches released by SAP.

the hacker newsNews

Dec 10, 2025

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud, critical severity.

the hacker newsNews

Dec 10, 2025

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud, details unspecified, but critical severity.

bleeping computerNews

Dec 9, 2025

SAP fixes three critical vulnerabilities across multiple products

A set of critical Apache Tomcat vulnerabilities affecting SAP Commerce Cloud components, potentially allowing attackers to compromise enterprise e-commerce platforms.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity15

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-55754

NVD

nvd.nist.gov/vuln/detail/CVE-2025-55754

MITRE CWE · CWE-150

Improper Neutralization of Escape, Meta, or…

Vendor Advisory

lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd

Third Party Advisory

openwall.com/lists/oss-security/2025/10/27/5

cert-portal.siemens.com

cert-portal.siemens.com/productcert/html/ssa-032379.html