Aqua published a blog post on the TTPs ( including IOCs and samples ) used by an apparently CN-adjacent TA attacking Tomcat servers. The post doesn't specifically say that the vulnerability exploited is CVE-2025-24813 but in their mitigations section they say:
"Ensure that all vulnerabilities are patched. Particularly internet facing applications such as Tomcat servers. Vulnerabilities such as CVE-2025-24813 that are new, critical and actively exploited should be prioritized."
https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/
1
1
1
@buherator Ugh, I think you're right. I originally read it as exploiting Tomcat and using password guessing for lateral movement. The reference to the 30 hours and "newly discovered malware" led me to think the malware was exploiting the CVE, but rereading that I don't think it is. Thanks for pointing it out.
If nothing else though, the blog does seem good for hunting post-exploitation.
0
1
0