Conversation
GreyNoise
greynoise@infosec.exchange
Edited 1 month ago
🚨Active Exploitation Alert: Critical Apache Tomcat RCE (CVE-2025-24813). Majority of traffic targeting U.S.-based systems. Exploits limited to naive attackers using PoC code. Full analysis & attacker IPs: https://greynoise.io/blog/active-exploitation-critical-apache-tomcat-rce-vulnerability-cve-2025-24813
#ApacheTomcat #Apache #GreyNoise #Vulnerability #CVE202524813
0
2
0
@cR0w @greynoise "GreyNoise observed exploitation attempts as early as March 11" -> Please note that PoC was publicly available since that way:
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
Also note that even with HTTP response data it's not straightforward to conclude that:
- file based session management was configured
- there were useful gadget chains available
https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html
Also note that even with HTTP response data it's not straightforward to conclude that:
- file based session management was configured
- there were useful gadget chains available
1
1
2
@buherator @cR0w @greynoise And could you emphasize the fact that by default these vulnerability is not active?
The default servlet configuration must be change to write enabled.
This information is nowhere to be seen on your blog post and yet the first thing to check and an easy remediation
1
0
0
buherator
buherator
@nbourdais @cR0w @greynoise It'd be actually interesting to see the distribution of HTTP response codes if that data is collected, because it is a straightforward signal for one of the requirements (read-only=false).
0
0
1