An Apache Tomcat vulnerability (CVE-2025-24813) has been identified within the Automation Analytics & Intelligence (AAI) IWS Connector. Users might detect this vulnerability during security scans, indicating an outdated or vulnerable version of Apache Tomcat bundled with their AAI IWS Connector. Specifically, AAI IWS Connector versions earlier then 24.2.

AAI IWS Connector 24.1.x and earlier 

To remediate the Apache Tomcat vulnerability (CVE-2025-24813), upgrade your AAI IWS Connector to version 24.2.

1. Upgrade AAI IWS Connector: Upgrade your AAI IWS Connector to version 24.2 or higher.

   • AAI IWS Connector 24.2 bundles Apache Tomcat 11.0.7.0.
   • Apache Tomcat 11.0.7.0 and later versions resolve CVE-2025-24813 (the vulnerability is resolved in versions later than Apache Tomcat 11.0.2).
2. IWS Connector 24.2.x requires JDK 17.x to be installed and the JAVA_HOME directory set to a JDK 17.x directory. Previous versions required JDK 1.8.

3. Verify New Tomcat Version (Post-Upgrade):
   After upgrading to AAI IWS Connector 24.2 (or later), you can verify the bundled Tomcat version by executing the appropriate version script within the connector's installation directory (e.g., ./version.sh in the bin directory of the connector installation). The output should reflect Server version: Apache Tomcat/11.0.7 or higher.