• Home
  • cyber
  • GreyNoise and Apache Software Foundation: Brute-force attacks target Apache Tomcat management panels
cyber Cyber Attack

GreyNoise and Apache Software Foundation: Brute-force attacks target Apache Tomcat management panels

Jun 5, 2025 2 min read
GreyNoise and Apache Software Foundation: Brute-force attacks target Apache Tomcat management panels

Brute-Force Attacks Target Exposed Apache Tomcat Manager Interfaces

Cybersecurity firm GreyNoise has identified two coordinated brute-force attack campaigns targeting Apache Tomcat Manager interfaces exposed online. The attacks, detected beginning June 5th, involved nearly 400 unique IP addresses, most flagged as malicious, attempting to gain unauthorized access to Tomcat services.

Apache Tomcat, a widely used open-source web server, includes Tomcat Manager, a web-based administration tool for managing deployed applications. While the tool is configured by default to restrict access to localhost (127.0.0.1) and lacks pre-set credentials, misconfigurations can expose it to remote attacks. The observed campaigns leveraged automated tools to test thousands of credential combinations, with a significant portion of the malicious traffic originating from DigitalOcean-hosted infrastructure (ASN 14061).

GreyNoise noted that while these attacks did not exploit a specific vulnerability, they reflect ongoing interest in exposed Tomcat services, often serving as a precursor to more severe exploitation. The company emphasized that organizations with exposed Tomcat Manager interfaces should enforce strong authentication and access controls to mitigate risks.

Separately, Apache recently addressed multiple remote code execution (RCE) vulnerabilities in Tomcat. In March, a patch was released for CVE-2025-24813, an actively exploited flaw allowing attackers to take over vulnerable servers via a PUT request. Proof-of-concept (PoC) exploits for this vulnerability appeared on GitHub within 30 hours of disclosure. Additionally, in December 2024, Apache fixed CVE-2024-56337, a flaw that could bypass a previous patch for the critical CVE-2024-50379 RCE vulnerability.

The incidents underscore the persistent targeting of Tomcat deployments, particularly when misconfigured or left unpatched.

Source: https://www.bleepingcomputer.com/news/security/brute-force-attacks-target-apache-tomcat-management-panels/

GreyNoise TPRM report: https://www.rankiteo.com/company/greynoise

Apache Software Foundation TPRM report: https://www.rankiteo.com/company/the-apache-software-foundation

"id": "grethe1767062795",
"linkid": "greynoise, the-apache-software-foundation",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'type': 'Large Enterprises, SaaS Providers'}],
 'attack_vector': 'Remote Access to Exposed Web Interface',
 'date_detected': '2025-06-05',
 'description': 'A coordinated campaign of brute-force attacks using hundreds '
                'of unique IP addresses targeted Apache Tomcat Manager '
                'interfaces exposed online. The attacks aimed to gain '
                'unauthorized access to Tomcat services, with nearly 400 '
                'unique IPs involved, primarily hosted by DigitalOcean. While '
                'no specific vulnerability was exploited, the activity '
                'highlights ongoing interest in exposed Tomcat services.',
 'impact': {'systems_affected': 'Apache Tomcat Servers with Exposed Manager '
                                'Interfaces'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Exposed administrative interfaces like Tomcat Manager are '
                    'prime targets for brute-force attacks. Organizations must '
                    'enforce strong authentication, restrict remote access, '
                    'and monitor for suspicious login activity.',
 'motivation': 'Opportunistic Access, Potential Future Exploitation',
 'post_incident_analysis': {'corrective_actions': 'Restrict remote access to '
                                                  'Tomcat Manager, enforce '
                                                  'strong authentication, and '
                                                  'apply security patches.',
                            'root_causes': 'Exposed Tomcat Manager interfaces '
                                           'with weak or default credentials, '
                                           'lack of access restrictions.'},
 'recommendations': ['Ensure Tomcat Manager interfaces are not exposed to the '
                     'internet.',
                     'Implement strong authentication and access restrictions.',
                     'Monitor security logs for suspicious login attempts.',
                     'Block IP addresses involved in breach attempts.',
                     'Apply security patches promptly, especially for critical '
                     'vulnerabilities like CVE-2025-24813.'],
 'references': [{'source': 'GreyNoise'}],
 'response': {'containment_measures': 'Blocking suspicious IP addresses, '
                                      'reviewing security logs',
              'remediation_measures': 'Ensuring strong authentication and '
                                      'access restrictions for Tomcat Manager'},
 'title': 'Coordinated Brute-Force Attacks on Exposed Apache Tomcat Manager '
          'Interfaces',
 'type': 'Brute-Force Attack'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.