Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces

A significant surge in brute-force attacks is targeting Apache Tomcat Manager interfaces, according to a new report from GreyNoise. On June 5, 2025, analysts observed a large-scale campaign where attackers attempted to guess login credentials, clearly aiming to compromise publicly exposed Tomcat services.

On that single day, 295 unique malicious IP addresses were detected engaging in brute-force attacks against Tomcat Manager. In the following 24 hours, another 188 unique malicious IPs were active. These attacks primarily originated from the United States, United Kingdom, Germany, the Netherlands, and Singapore.

Simultaneously, 298 unique IP addresses (246 active within 24 hours) attempted logins to Tomcat Manager control panels, showing a similar geographical distribution. Additional targeted countries in this attack wave included Spain, India, and Brazil. A large portion of the malicious traffic was traced back to infrastructure hosted by DigitalOcean.

While these attacks aren’t tied to a specific software vulnerability, they highlight a persistent interest in unprotected Tomcat access. This widespread, opportunistic activity often signals the early stages of more coordinated and targeted exploitation campaigns in the future.

GreyNoise urges administrators of publicly exposed Tomcat Manager instances to take immediate action: enforce strong authentication, strengthen access controls, and vigilantly monitor for any suspicious activity.

Related Posts:

• Google Account Flaw Exposed Phone Numbers: Brute-Force Attack Possible, Now Patched
• Data at Risk: Three-Quarters of Top Websites Leave Users Exposed to Cyberattacks
• Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
• CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
• CISA Flags Apache Tomcat CVE-2025-24813 as Actively Exploited with 9.8 CVSS