Conversation

Has anyone actually confirmed real-world compromises from the supposed Apache Tomcat exploitation (CVE-2025-24813) going on? Breathless headlines seem to be quoting a single vague source, and this bug isn't exploitable in anywhere close to a default config https://attackerkb.com/assessments/1a24556d-24fb-4017-be67-e4ab39c76566

2
2
0

@catc0n
"Exploited in the wild" is a phrase that's commonly used when "Exploit attempts have been seen in the wild" more accurately captures reality.

I have a hard time seeing that situation changing for many of the parties making such statements.

My shining example of this is the time that Greynoise published a fake PoC once, and then had a follow up proclaiming "See! We have proof that this vulnerability is being exploited in the wild!" (when their honeypots detected use of the fake PoC ITW)

0
1
0
@catc0n If by single source you mean Wallarm, that one is factually incorrect at multiple points so IMO it's best to dismiss as FUD:

https://infosec.place/notice/As2Q4VaBioZNySoR6m
2
4
9

@buherator thanks! We used your work heavily when investigating, so double thanks :)

0
1
1
@GossiTheDog @catc0n Thanks, I wasn't aware of the update! My analysis was published on 11th March, their screenshot is from 12th March, so this "proof" probably means that someone started to play with the PoC I included (before the Python script appeared on GH).
1
0
2

@buherator @GossiTheDog that’d track. I usually try to hold the salt in threat blogs, but since this almost certainly isn’t going to be a major attack vector, maybe I’ll sprinkle some sodium in this one 😂

0
1
1