Overview of the Incident
On June 5, 2025, GreyNoise observed a significant and coordinated surge in brute-force and login attempts targeting Apache Tomcat Manager interfaces exposed to the internet. This activity marked a sharp deviation from typical background noise, with two GreyNoise tags—Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt—registering volumes well above their usual baselines.
Key Findings
• Nearly 400 unique IP addresses were involved in the campaign, with 250 IPs participating in brute-force attempts and 298 in login attempts. Most of these IPs were classified as malicious.
• The baseline for such activity is typically much lower (1–15 IPs for brute-force, 10–40 for login attempts), making this spike highly unusual and clearly coordinated.
• A significant portion of the attack traffic originated from infrastructure hosted by DigitalOcean (ASN 14061).
• The majority of malicious IPs were located in the United States, United Kingdom, Germany, the Netherlands, and Singapore, with targets spanning the US, UK, Spain, Germany, India, and Brazil.
Nature of the Attack
These brute-force campaigns used automated tools to try large numbers of username and password combinations against Tomcat Manager interfaces. The goal was to identify and compromise exposed Tomcat services at scale. The Tomcat Manager is a web-based administration tool that, if exposed online without proper restrictions, can be a high-value target for attackers.
Importantly, this wave of attacks was not tied to any specific newly disclosed vulnerability. Instead, it reflects ongoing opportunistic interest in Tomcat services that are accessible from the internet, likely as a precursor to more targeted or sophisticated exploitation in the future.
Relation to Recent Tomcat Vulnerabilities
While these brute-force attacks were not exploiting a specific vulnerability, they come on the heels of recent disclosures and active exploitation of critical Apache Tomcat vulnerabilities, such as CVE-2025-24813, which allows remote code execution under certain non-default configurations. This context underscores the heightened risk for organizations running outdated or misconfigured Tomcat instances.
Recommendations for Defenders
GreyNoise and other security experts recommend the following immediate actions:
• Block the IP addresses identified as malicious in this campaign.
• Ensure Tomcat Manager interfaces are not exposed to the public internet unless absolutely necessary.
• Enforce strong authentication and access restrictions on any Tomcat Manager instances that must be accessible remotely.
• Regularly review security logs for anomalous login activity or unauthorized access attempts.
• Stay current with security patches for Apache Tomcat, especially in light of recent RCE vulnerabilities.
• Consider subscribing to dynamic threat intelligence feeds or blocklists to respond quickly to emerging threats.
