| Summary: Xerox evaluated DocuShare for Apache Tomcat CVE-2025-49124 and determined that DocuShare is not affected by design. This CVE exists in the Apache Tomcat Windows installer, and DocuShare does not use that installer path. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Not affected under the standard Xerox DocuShare installation model. |
| DocuShare 7.6 | Not affected under the standard Xerox DocuShare installation model. |
| DocuShare 7.7 | Not affected under the standard Xerox DocuShare installation model. |
| DocuShare 8.0 | Not affected under the standard Xerox DocuShare installation model. |
Overview
CVE-2025-49124 is an untrusted search path issue in the Apache Tomcat installer for Windows. The reported behavior involves installer use of icacls.exe without a fully qualified path.
DocuShare does not install Tomcat by running the Apache Tomcat Windows installer. Instead, DocuShare bundles Tomcat as part of the DocuShare product and starts it through the DocuShare Monitor service.
Because the vulnerable installer path is not used by DocuShare, this CVE does not affect a standard DocuShare deployment.
What the Vulnerability Requires
The issue depends on a Windows installer path that is separate from normal Tomcat runtime traffic.
- A Windows deployment path that invokes the affected Tomcat installer behavior.
- The Apache Tomcat Windows installer calling icacls.exe without a fully qualified path.
- Local installation conditions that allow that installer behavior to be abused during setup activity.
DocuShare Assessment
| Assessment Item | Finding |
| Vulnerable component | Apache Tomcat Windows installer |
| How DocuShare provides Tomcat | Bundled as part of DocuShare rather than installed through the Apache Tomcat Windows installer |
| How DocuShare starts Tomcat | Through the DocuShare Monitor service |
| Customer guidance | Standard DocuShare deployments are not affected |
| Important: This advisory is different from runtime Tomcat CVEs. The vulnerable code is in the Apache Tomcat Windows installer, and that installer path is not part of the standard DocuShare product installation model. |
What You Should Do
- No action is required for a standard Xerox DocuShare deployment.
- If your organization has introduced a custom installation method that separately runs the Apache Tomcat Windows installer outside the standard DocuShare product installation, review that customization carefully.
- If your environment is Linux-only, this Windows installer CVE does not apply to your DocuShare deployment model.