The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
CVE-2009-3548
Score elevated to 9.0 because EPSS predicts 87% probability of exploitation within the next 30 days (top 0.6% of all CVEs). Confidence: see factors.
- 75 internet-exposed hosts are running an affected version right now
- High exploitation likelihood — EPSS 79%
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
75 internet-exposed hosts are running an affected version of CVE-2009-3548 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 99.5%
- KEV
- Not listed
Published
November 12, 2009
Last Modified
April 23, 2026
References (52)
- secalert@redhathttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113
- secalert@redhathttp://marc.info/?l=bugtraq&m=127420533226623&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=133469267822771&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=136485229118404&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=139344343412337&w=2
- secalert@redhathttp://markmail.org/thread/wfu4nff5chvkb6xp
- secalert@redhathttp://secunia.com/advisories/40330
- secalert@redhathttp://secunia.com/advisories/57126
- secalert@redhathttp://tomcat.apache.org/security-5.html
- secalert@redhathttp://tomcat.apache.org/security-6.html
- secalert@redhathttp://www.securityfocus.com/archive/1/507720/100/0/threaded
- secalert@redhathttp://www.securityfocus.com/archive/1/516397/100/0/threaded
- secalert@redhathttp://www.securityfocus.com/bid/36954
- secalert@redhathttp://www.securitytracker.com/id?1023146
- secalert@redhathttp://www.vmware.com/security/advisories/VMSA-2011-0003.html
Data Freshness Timeline
(refreshed 2× in last 7d / 23× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-06 02:19 UTCEPSS rescore
- 2026-07-06 02:19 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-28 14:03 UTCEPSS rescore
- 2026-06-28 04:52 UTCEPSS rescore
- 2026-06-28 04:52 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-24 14:02 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-10 22:14 UTCEPSS rescore
- 2026-06-10 13:17 UTCEPSS rescore
- 2026-06-08 14:13 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
Show 19 moreShow fewer
- 2026-06-05 06:07 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-06-01 13:49 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-31 22:28 UTCEPSS rescore
- 2026-05-30 14:37 UTCEG score recompute
- 2026-05-30 14:37 UTCGHSA enrichment
- 2026-05-29 13:40 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-24 16:43 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(5 references)Working exploit code is in the public domain (3 Metasploit modules) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-31433✓ verifiedFirst seen Feb 5, 2014
Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)
Open source ↗ - Exploit-DBEDB-16317✓ verifiedFirst seen Dec 14, 2010
Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit)
Open source ↗ - Metasploitexploit/multi/http/tomcat_mgr_upload✓ verifiedFirst seen Nov 9, 2009
Apache Tomcat Manager Authenticated Upload Code Execution
Open source ↗ - Metasploitexploit/multi/http/tomcat_mgr_deploy✓ verifiedFirst seen Nov 9, 2009
Apache Tomcat Manager Application Deployer Authenticated Code Execution
Open source ↗ - Metasploitauxiliary/scanner/http/tomcat_mgr_login✓ verifiedFirst seen Jan 1, 2009
Tomcat Application Manager Login Utility
Open source ↗
Frequently asked(4)
What is CVE-2009-3548?
When was CVE-2009-3548 disclosed?
Is CVE-2009-3548 actively exploited?
How do I remediate CVE-2009-3548?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2009-3548
Is Your Infrastructure Affected by CVE-2009-3548?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.