Brute-force campaign targets Apache Tomcat Manager interfaces in coordinated cyberattacks

A coordinated brute-force attack campaign is actively targeting Apache Tomcat Manager interfaces exposed to the Internet, with hundreds of unique IP addresses involved in attempts to gain unauthorized access. The campaign was identified by cybersecurity firm GreyNoise, which reported detecting the activity beginning June 5, 2025.

Apache Tomcat, a widely used open-source web server favored by enterprises and SaaS providers, includes a bundled tool known as Tomcat Manager. This web-based interface allows administrators to manage deployed web applications. By default, Tomcat Manager is restricted to the localhost (127.0.0.1) and requires manual configuration to enable remote access, with no predefined credentials. However, when improperly exposed online, the interface becomes a potential target for attackers.

GreyNoise observed two distinct but coordinated brute-force campaigns aimed at exploiting these exposed instances. The first campaign utilized approximately 300 unique IP addresses—most of which have been previously flagged for malicious behavior. The second involved around 250 IP addresses. Both sets of IPs systematically attempted to access Tomcat Manager through automated brute-force methods, testing a wide range of credential combinations to breach system defenses.

"In total, about 400 unique IP addresses were implicated in this wave of attacks," GreyNoise noted. "Most of the activity was narrowly focused on Tomcat services, with a substantial number of requests originating from infrastructure hosted by DigitalOcean (ASN 14061)."

The attacks did not appear to exploit any known vulnerabilities, suggesting that attackers were instead relying on weak or default credentials and misconfigurations to gain access. Despite this, the scale and organization of the campaigns have raised concerns among cybersecurity professionals. GreyNoise emphasized that such broad and opportunistic behavior often serves as a precursor to more sophisticated attacks or exploitation efforts in the future.

While the ongoing campaign has not been linked to any specific vulnerabilities, it comes shortly after Apache issued a critical security update in March 2025 to patch a remote code execution (RCE) vulnerability—tracked as CVE-2025-24813—being actively exploited in the wild. Attackers leveraged proof-of-concept exploits published on GitHub just 30 hours after the vulnerability was disclosed and patched. In late 2024, Apache had also patched a pair of chained RCE vulnerabilities, CVE-2024-56337 and CVE-2024-50379, that further highlighted the ongoing risks associated with Tomcat deployments.

In light of the new brute-force campaigns, GreyNoise has urged organizations using Apache Tomcat to review their configurations and immediately secure any exposed Tomcat Manager interfaces. Recommendations include enforcing strong authentication policies, restricting external access, and monitoring server logs for abnormal login activity. Suspicious IPs should be blocked at the firewall or intrusion detection system level to reduce the risk of a breach.