Conversation
Edited 13 days ago

🚨Active Exploitation Alert: Critical Apache Tomcat RCE (CVE-2025-24813). Majority of traffic targeting U.S.-based systems. Exploits limited to naive attackers using PoC code. Full analysis & attacker IPs: https://greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813

1
3
0

@greynoise Not to be pedantic, but the title says "Active Exploitation" and the article says "GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025." Do we know yet if any of it is successful exploitation, or possibly still just PoCs getting chucked around?

1
2
1
@cR0w @greynoise "GreyNoise observed exploitation attempts as early as March 11" -> Please note that PoC was publicly available since that way:

https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html

Also note that even with HTTP response data it's not straightforward to conclude that:
- file based session management was configured
- there were useful gadget chains available
2
2
2

@buherator @greynoise Absolutely. I get that the GreyNoise scanners themselves may not be able to detect whether the traffic they are seeing is successful, I was hoping to find out if they knew of successful exploitation since I haven't heard of any besides that one blog.

0
1
0

@buherator @cR0w @greynoise And could you emphasize the fact that by default these vulnerability is not active?
The default servlet configuration must be change to write enabled.
This information is nowhere to be seen on your blog post and yet the first thing to check and an easy remediation

1
0
0
@nbourdais @cR0w @greynoise It'd be actually interesting to see the distribution of HTTP response codes if that data is collected, because it is a straightforward signal for one of the requirements (read-only=false).
0
0
1