Tomcat CGI RCE on Windows: Enables remote code execution via crafted URL arguments when CGI is enabled. Disable CGI Servlet if not required. Apply patches for Apache Tomcat. Restrict Tomcat deployments from accessing Windows command line utilities via security manager.
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows commands.
Supernova subscribers receive AI-triaged CVE alerts the moment they're published — before the PoC drops.
Start Supernova — $99/mo →