A significant coordinated attack campaign has been recently targeting Apache Tomcat Manager interfaces with a high degree of precision. Threat actors leveraged approximately 400 unique IP addresses in a concentrated attack that peaked on the date of June 5th, 2025. The attack represents a substantial increase in malicious activity, with observed volumes reaching many times above all normal baseline levels. This indicates a sophisticated and deliberate attempt to compromise exposed Tomcat services at an unprecedented scale for unauthorized system access.
The coordinated attack campaign was first identified through GreyNoise’s threat intelligence monitoring systems, which detected two distinct attack vectors.
One vector used 250 unique IPs for brute force attempts, a staggering increase from the typical baseline of 1 to 15 IPs. A second vector recorded 298 unique IP addresses making login attempts, far exceeding the normal baseline range of 10 to 40 IPs. A significant portion of this malicious attack activity originated from infrastructure that was hosted by the cloud provider DigitalOcean.
The technical analysis of the cyberattack reveals sophisticated operational security practices that have been employed by all the threat actors. The attackers demonstrated a very narrow focus, specifically targeting only the Tomcat Manager interfaces, and avoided any broader scanning activities. This targeted approach suggests the attackers possessed prior intelligence about all their potential targets and designed their current campaign. They leveraged automated tools and scripts to coordinate the simultaneous brute force and login attempts across many hundreds of IP addresses.
Organizations running Apache Tomcat installations must immediately implement comprehensive defensive measures to protect against this ongoing threat campaign.
Security teams should prioritize blocking all of the identified malicious IP addresses involved in both the brute force and login attempt categories. Organizations must also verify that robust authentication mechanisms are protecting all their Tomcat Manager interfaces from any unauthorized access. These new attacks follow recent disclosures of other critical remote code execution vulnerabilities that have been actively exploited in the wild.
Reference:
