FlagThis - #apachetomcat

GreyNoise has issued a warning regarding a coordinated brute force campaign targeting Apache Tomcat Manager interfaces. On June 5, 2025, their threat intelligence system detected a significant surge in malicious activity, specifically brute-force and login attempts against these interfaces. This spike prompted GreyNoise to issue tags for "Tomcat Manager Brute Force Attempt" and "Tomcat Manager Login Attempt," both registering well above their usual baseline volumes, suggesting a deliberate and widespread effort to identify and exploit exposed Tomcat services.

295 unique IP addresses were observed engaging in brute-force attempts, while 298 IPs conducted login attempts. Almost all were classified as malicious. Much of the activity originated from infrastructure hosted by DigitalOcean. The concentrated nature of these attacks, focusing primarily on Tomcat services, indicates a coordinated campaign rather than random, opportunistic scanning. GreyNoise believes that such activity serves as an early warning sign of future exploitation.

Organizations are urged to immediately block the malicious IPs identified by GreyNoise and to strengthen their security posture regarding exposed Tomcat Manager interfaces. This includes implementing robust authentication mechanisms, enforcing strict access restrictions, and carefully reviewing recent login activity for any anomalies. With a focus on helping defenders take faster action on emerging threats, GreyNoise continues to monitor the situation and is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats.


References :

• The Hacker News: 295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager
• The GreyNoise Blog: Coordinated Brute Force Campaign Targets Apache Tomcat Manager Interfaces Using 400 Malicious IPs
• www.scworld.com: Apache Tomcat Manager subjected to brute-force, login intrusions
• cyberpress.org: Apache Tomcat Manager Under Attack by 400 Unique IP Addresses

Classification:

• HashTags: #ApacheTomcat #BruteForce #WebSecurity
• Company: Google
• Target: Apache Tomcat Servers
• Product: Tomcat Manager
• Feature: Brute Force Attacks
• Type: Hack
• Severity: Medium

CISA has added a new Apache Tomcat vulnerability, identified as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence that the flaw is being actively exploited in the wild, posing a significant risk to organizations utilizing affected versions of Apache Tomcat. The vulnerability is a path equivalence issue within Apache Tomcat.

To mitigate the risk posed by CVE-2025-24813, impacted users are urged to upgrade their Apache Tomcat installations to the latest secure versions. Specifically, upgrades to Apache Tomcat 11.0.3 or later, Apache Tomcat 10.1.35 or later, or Apache Tomcat 9.0.99 or later are recommended. The advisory also includes IPS protection measures to detect and block potential attack attempts targeting this vulnerability affecting the Apache Tomcat web server.


References :

• securityaffairs.com: U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog
• bishopfox.com: Tomcat CVE-2025-24813: What You Need to Know
• securityonline.info: CISA Flags Apache Tomcat CVE-2025-24813 as Actively Exploited with 9.8 CVSS
• fortiguard.fortinet.com: Apache Tomcat RCE
• FireCompass: Critical Apache Tomcat Vulnerability: CVE-2025-24813 Enables RCE – Are You Vulnerable?

Classification:

• HashTags: #Cybersecurity #ApacheTomcat #Vulnerability
• Company: CISA
• Target: Federal Civilian Executive Branch (FCEB) agencies
• Product: Apache Tomcat
• Feature: Path Equivalence Vulnerability
• Malware: CVE-2025-24813
• Type: Vulnerability
• Severity: Major