A concerning development has emerged with the active exploitation of Apache Tomcat servers through the recently disclosed vulnerability, CVE-2025-24813.
This vulnerability allows attackers to potentially execute remote code (RCE) if successfully exploited.
The cybersecurity firm GreyNoise has identified multiple IPs involved in these attacks across several regions, highlighting the urgency for organizations to update their systems immediately.
CVE-2025-24813: A Growing Threat
CVE-2025-24813 is capable of enabling remote code execution, which poses significant risks to the security of systems running Apache Tomcat.
The good news is that the current exploitation seems limited to naive attackers using publicly available proof-of-concept (PoC) code.
However, this could be a precursor to more sophisticated attacks as the vulnerability becomes widely known.
GreyNoise has created a specific CVE-2025-24813 tag to help defenders track and respond to these malicious activities efficiently.
Since March 17, 2025, GreyNoise has detected four unique IPs attempting to exploit this vulnerability.
These attackers are using a partial PUT method to inject malicious payloads, which could lead to arbitrary code execution on vulnerable systems. The geographic distribution of these attempts highlights a diverse range of targets:
- Geographic Distribution: The majority of exploit attempts have been directed at systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions aimed at U.S.-based systems.
- Attack Origin: The earliest exploitation attempts were observed on March 11, but significant activity was noted starting from a Latvia-based IP on March 18. Subsequent attempts were traced to Italy, the United States, and China. Notably, two of these IPs are linked to a known VPN service, indicating potential evasion tactics.
Mitigations & Recommendations
Given the seriousness of CVE-2025-24813 and the ongoing exploitation, organizations must take immediate action to secure their systems:
- Apply Patches: Organizations should promptly apply the latest security patches for Apache Tomcat.
- Monitor Web Server Logs: Regularly monitor for unexpected PUT requests to detect potential attacks.
- Deploy WAF Rules: Configure Web Application Firewall (WAF) rules to block malicious payloads effectively.
- Use GreyNoise Intelligence: Utilize GreyNoise’s real-time tracking capabilities to identify and block malicious IPs.
Organizations should assess their Apache Tomcat deployments urgently and apply patches to mitigate the risks associated with CVE-2025-24813.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
