🚨Active Exploitation Alert: Critical Apache Tomcat RCE (CVE-2025-24813). Majority of traffic targeting U.S.-based systems. Exploits limited to naive attackers using PoC code. Full analysis & attacker IPs: https://greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
@greynoise Not to be pedantic, but the title says "Active Exploitation" and the article says "GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025." Do we know yet if any of it is successful exploitation, or possibly still just PoCs getting chucked around?
@buherator @greynoise Absolutely. I get that the GreyNoise scanners themselves may not be able to detect whether the traffic they are seeing is successful, I was hoping to find out if they knew of successful exploitation since I haven't heard of any besides that one blog.
@buherator @cR0w @greynoise And could you emphasize the fact that by default these vulnerability is not active?
The default servlet configuration must be change to write enabled.
This information is nowhere to be seen on your blog post and yet the first thing to check and an easy remediation