01 · The Real Story
This is a sticky note on the server room door, not the master key
Tenable plugin 12085 fires when a remote Apache Tomcat instance still serves default content such as the ROOT landing page, default error page, documentation, or example JSP/servlet paths. This is not version-bound: any Tomcat deployment, including embedded or vendor-bundled Tomcat, can trigger if those default assets are still reachable.
The vendor's MEDIUM label is technically understandable for unauthenticated information disclosure, but operationally it is too high for a 10,000-host patch queue. In the real world this finding is usually reconnaissance fuel, not a compromise primitive: it leaks versioning and demo content that can help an attacker choose a follow-on path, but it still requires a second weakness such as an exposed management app, weak credentials, or a separate Tomcat/application CVE to become dangerous.
"Useful recon, not a breach path by itself—downgrade this to hardening backlog unless another Tomcat weakness is present"
02 · The Attack Path
4 steps from start to impact.
STEP 01
Probe Tomcat for default content
An attacker uses
curl, nikto, ffuf, or Nessus 12085 to request /, /examples/, /docs/, and a bogus path to trigger a 404. The goal is to confirm whether stock Tomcat pages, demo apps, or default error handling are still exposed.Conditions required:
- HTTP/S access to the Tomcat listener or reverse proxy in front of it
- Default webapps or Tomcat-generated error pages still reachable
Where this breaks in practice:
- A reverse proxy with custom error handling can mask the Tomcat default 404/500 pages
- Many hardened builds remove
examples,docs, and default ROOT content entirely
Detection/coverage: Excellent scanner coverage. This is a straightforward unauthenticated content check; remote scanners and DAST tools catch it reliably unless a proxy rewrites responses.
STEP 02
Extract version and environment clues
If the probe succeeds, the attacker reads version strings, page structure, and demo endpoints from the returned content. Simple tools like
curl and browser dev tools are enough; no exploit framework is required.Conditions required:
- Returned pages include Tomcat branding, version text, or example app behavior
- Response headers and body are not scrubbed by the proxy/application
Where this breaks in practice:
- Modern Tomcat hardening often suppresses banners and replaces stock pages
- Embedded Tomcat behind an app-specific UI may expose very little beyond a generic response
Detection/coverage: Web logs will show basic GET requests, but they blend into ordinary scanning noise. Detection quality is high only if you already alert on requests to
/examples/ or /docs/.STEP 03
Map to a second weakness
The attacker uses the reconnaissance output to test a separate path: known Tomcat CVEs for the identified branch, exposed
/manager or /host-manager, or weak/default credentials. This is where real risk begins, but it is outside what plugin 12085 proves.Conditions required:
- A second exploitable weakness exists on the same asset
- The disclosed version or behavior meaningfully narrows attacker effort
Where this breaks in practice:
- Without a second weakness, the chain dies here
- Manager and Host Manager are not usable by default without configured roles, and good builds keep them localhost-restricted
Detection/coverage: Version exposure itself is easy to see; follow-on activity is what matters. Watch for
/manager/html, /manager/text, /host-manager/html, brute-force attempts, and CVE-specific probes.STEP 04
Escalate only if another door is open
If the same host also exposes a management interface or carries a real exploitable Tomcat/application flaw, the default files reduce attacker uncertainty and speed up targeting. They do not create code execution or auth bypass on their own.
Conditions required:
- Internet or internal reachability to the next-stage target
- A separate exploitable condition on the host
Where this breaks in practice:
- This plugin alone does not provide a direct compromise path
- Blast radius stays limited to reconnaissance unless chained with another issue
Detection/coverage: Prioritize correlation rather than the finding alone:
12085 plus exposed management apps or a live Tomcat CVE is meaningful; 12085 alone usually is not.03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No evidence that default files themselves are a standalone exploited vulnerability. However, GreyNoise reported coordinated activity against exposed Tomcat Manager interfaces on 2025-06-10, showing attackers are actively interested in exposed Tomcat services. |
|---|---|
| PoC availability | No exploit repo is needed. curl, wget, nikto, ffuf, and Nessus can validate exposure with ordinary GET requests; meaningful abuse requires a second weakness. |
| EPSS | N/A. EPSS is CVE-based, and plugin 12085 is a hardening/configuration finding with no CVE. |
| KEV status | Not applicable. There is no CVE to appear in CISA KEV, and the KEV catalog does not track this generic default-files condition. |
| Vendor score | Tenable rates it Medium, CVSS v3 5.3 with CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, treating it like generic low-grade information disclosure. |
| Affected versions | Potentially any Apache Tomcat version or embedded/vendor-packaged Tomcat instance where stock ROOT content, docs, examples, or default error pages remain exposed. This is a configuration state, not a specific release window. |
| Fixed versions | There is no patched Tomcat version for this finding. Resolution is configuration and packaging hygiene: remove unused default webapps, replace default error pages, and suppress version leakage where feasible. |
| Scanning / exposure data | There is no authoritative public census for plugin 12085 specifically. The best current signal is adjacent: GreyNoise saw a spike in Tomcat Manager brute-force and login activity in June 2025, which reinforces that exposed Tomcat surfaces get scanned aggressively. |
| Timeline | Tenable published plugin 12085 on 2004-03-02 and last updated it on 2024-09-03. This is an old, persistent hardening issue, not a newly disclosed vulnerability. |
| Research / authority | Primary guidance comes from Tenable Research, Apache Tomcat security documentation, and OWASP secure-by-default guidance. Apache explicitly says unused default webapps should be removed and that examples should always be removed from security-sensitive installations. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to LOW (2.8/10)
The decisive friction is that this finding is reconnaissance-only in most environments: it exposes branding, versioning, and demo content, but it does not itself provide execution, authentication bypass, or data access. It stays worth cleaning up because Tomcat is widely deployed and attackers do scan these surfaces, but the chain still needs a second open door before this becomes an incident.
HIGH This finding is usually information disclosure / hardening hygiene rather than direct compromise
MEDIUM Exact risk varies depending on whether `examples`, `docs`, default error pages, or additional Tomcat admin surfaces are also exposed
Why this verdict
- Start at Tenable's 5.3: the vendor scores this like a generic unauthenticated information disclosure.
- Downward adjustment for no exploit primitive: default files do not by themselves deliver RCE, auth bypass, or direct data theft; they mostly leak version and environment clues.
- Downward adjustment for chain dependency: meaningful impact usually requires a second condition such as exposed
/manageror/host-manager, weak credentials, or a separate Tomcat/application CVE. - Downward adjustment for exposure reality: many enterprise Tomcat instances sit behind reverse proxies, app front ends, or hardened images that already hide or remove the default content.
- Not IGNORE because recon still matters: on an internet-facing Tomcat service, stock examples and default error pages shorten attacker enumeration and can materially help a follow-on attack.
Why not higher?
This is not a one-click compromise. There is no direct integrity or availability impact demonstrated by the plugin, and even the confidentiality impact is usually limited to versioning, paths, and demo behavior. For a higher rating, the finding would need to prove reachable admin functionality, weak/default credentials, or a concrete exploitable CVE on the same host.
Why not lower?
It is still a real externally observable weakness, not pure cosmetic noise. Apache's own security guidance says unused default webapps should be removed, and examples should always be removed from security-sensitive installations because they can aid an attacker. On internet-facing Tomcat, this is enough to keep it above IGNORE.
05 · Compensating Control
What to do — in priority order.
- Remove default webapps — Delete or exclude
examples,docs, and unused ROOT content from Tomcat images and installs. For a LOW verdict there is no SLA; treat this as backlog hygiene and complete it in the next routine hardening cycle, especially first on internet-facing assets. - Replace default error pages — Serve custom 404/500 responses at the reverse proxy or app tier so Tomcat does not disclose stock error pages or version clues. Again, for LOW there is no mitigation SLA; fold this into your normal web hardening workstream.
- Lock down management interfaces — Ensure
/managerand/host-managerare either removed, bound to localhost, or restricted with IP allowlists and strong auth. This is not required to clear plugin12085, but it prevents the recon from turning into a real compromise path. - Suppress easy fingerprinting — Review reverse-proxy and Tomcat headers, banners, and default content so version and product details are not handed out for free. This is a hygiene task, not an emergency patch, unless another Tomcat exploit is in play.
- Rebuild embedded Tomcat packages — For products that ship embedded Tomcat, adjust the application image or vendor-supported package layout to exclude demo content rather than trying to 'patch' Tomcat. There is no fixed version for this finding, so packaging control is the durable answer.
What doesn't work
- A WAF alone does not solve this; the requests are ordinary GETs for legitimate-looking paths and usually won't trigger exploit signatures.
- Upgrading Tomcat by itself does not clear the issue because there is no patched version for 'default files'—this is a deployment-state problem.
- Credential rotation alone does not help because the finding is unauthenticated content exposure, not an account compromise issue.
06 · Verification
Crowdsourced verification payload.
Run this from an auditor workstation or CI job that can reach the target URL over HTTP/S. Invoke it as python3 tomcat_default_files_check.py https://app.example.com:8443; no local privileges are required, and it reports VULNERABLE, PATCHED, or UNKNOWN based on remote content checks.
#!/usr/bin/env python3
# tomcat_default_files_check.py
# Remote check for Apache Tomcat default files / default error pages.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE
import sys
import ssl
import urllib.request
import urllib.error
from urllib.parse import urljoin
TIMEOUT = 10
HEADERS = {
'User-Agent': 'noisgate-tomcat-default-files-check/1.0'
}
INDICATORS = [
'Apache Tomcat',
'Tomcat Examples',
'Tomcat Documentation',
'HTTP Status 404',
'HTTP Status 500',
'If you\'re seeing this',
'The requested resource',
]
PATHS = [
'/',
'/examples/',
'/examples/jsp/',
'/examples/servlets/',
'/docs/',
'/this-path-should-not-exist-noisgate-404-test'
]
def fetch(url):
req = urllib.request.Request(url, headers=HEADERS)
try:
with urllib.request.urlopen(req, timeout=TIMEOUT, context=ssl.create_default_context()) as resp:
body = resp.read(65536).decode('utf-8', errors='ignore')
return resp.getcode(), body, dict(resp.headers)
except urllib.error.HTTPError as e:
try:
body = e.read(65536).decode('utf-8', errors='ignore')
except Exception:
body = ''
return e.code, body, dict(e.headers)
except Exception as e:
return None, str(e), {}
def has_indicator(text, headers):
haystack = text + '\n' + '\n'.join([f'{k}: {v}' for k, v in headers.items()])
return [i for i in INDICATORS if i.lower() in haystack.lower()]
def normalize_base(base):
if not base.startswith('http://') and not base.startswith('https://'):
base = 'http://' + base
if not base.endswith('/'):
base += '/'
return base
def main():
if len(sys.argv) != 2:
print('UNKNOWN - usage: python3 tomcat_default_files_check.py <base_url>')
sys.exit(3)
base = normalize_base(sys.argv[1])
findings = []
reachable = False
for path in PATHS:
url = urljoin(base, path.lstrip('/')) if path != '/' else base
code, body, headers = fetch(url)
if code is None:
continue
reachable = True
hits = has_indicator(body, headers)
if hits:
findings.append({
'url': url,
'status': code,
'hits': hits[:5]
})
if not reachable:
print('UNKNOWN - target unreachable or TLS/HTTP request failed for all probes')
sys.exit(2)
if findings:
print('VULNERABLE - default Tomcat content or Tomcat-generated error pages detected')
for f in findings:
print(f" {f['status']} {f['url']} -> {', '.join(f['hits'])}")
sys.exit(1)
print('PATCHED - no default Tomcat content detected in tested paths')
sys.exit(0)
if __name__ == '__main__':
main()
07 · Bottom Line
If you remember one thing.
TL;DR
On Monday morning, do not let this crowd out real exploit paths. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA—treat it as backlog hygiene, inventory which Tomcat and embedded-Tomcat services are internet-facing, and remove default ROOT/docs/examples plus stock error handling in the next routine hardening cycle; if any affected host also exposes
/manager or /host-manager or carries a live Tomcat CVE, escalate that host immediately out of this bucket.Sources
- Tenable Nessus Plugin 12085 Overview
- Tenable Nessus Plugin 12085 Changelog
- Apache Tomcat 9 Security Considerations
- Apache Tomcat 9 Manager App How-To
- Apache Tomcat 11 Host Manager App How-To
- OWASP Secure by Default Guidance
- GreyNoise: Coordinated Brute Force Activity Targeting Apache Tomcat Manager
- Broadcom: Tomcat default files scan warning
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.