vulnerability
Apache Tomcat: Important: Remote Code Execution (CVE-2016-8735)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Apr 6, 2017 | Apr 6, 2017 | Jun 19, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Apr 6, 2017
Added
Apr 6, 2017
Modified
Jun 19, 2026
Description
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Solutions
apache-tomcat-upgrade-6_0_48apache-tomcat-upgrade-7_0_73apache-tomcat-upgrade-8_0_39apache-tomcat-upgrade-8_5_8apache-tomcat-upgrade-9_0_0apache-tomcat-6_0apache-tomcat-7_0apache-tomcat-8_0apache-tomcat-8_5apache-tomcat-9_0apache-tomcat-upgrade-latest
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.