A concerning development has arisen in the cybersecurity world, as attackers have been actively exploiting a vulnerability in Apache Tomcat servers known as CVE-2025-24813. This vulnerability, if successfully exploited, could allow attackers to execute remote code (RCE) on vulnerable systems.
GreyNoise, a cybersecurity firm, has identified multiple IPs involved in these attacks across various regions. This discovery underscores the critical need for organizations to update their systems promptly to protect against potential breaches.
CVE-2025-24813 poses a significant threat as it enables remote code execution, making systems running Apache Tomcat susceptible to malicious attacks. While current exploitation appears to be limited to less sophisticated attackers using publicly available proof-of-concept (PoC) code, there is concern that more advanced attacks may follow as awareness of the vulnerability spreads.
In response to these emerging threats, GreyNoise has introduced a specific tag for CVE-2025-24813 to help defenders monitor and address malicious activities efficiently. Since March 17, 2025, GreyNoise has detected four unique IPs attempting to exploit this vulnerability, primarily through the injection of malicious payloads using a partial PUT method. The distribution of these exploit attempts spans across the United States, Japan, India, South Korea, and Mexico, with a significant focus on U.S.-based systems.
The origins of these attacks have been traced back to various countries, with notable activity originating from Latvia, Italy, the United States, and China. Of particular concern is the involvement of two IPs associated with a known VPN service, suggesting potential evasion tactics employed by attackers.
To safeguard against CVE-2025-24813 and ongoing exploitation attempts, organizations are urged to take immediate action. Recommended measures include applying the latest security patches for Apache Tomcat, monitoring web server logs for suspicious activity, deploying Web Application Firewall (WAF) rules to block malicious payloads effectively, and leveraging GreyNoise Intelligence for real-time identification and blocking of malicious IPs.
It is crucial for organizations to assess their Apache Tomcat deployments promptly and implement necessary patches to mitigate the risks posed by CVE-2025-24813. By staying vigilant and proactive in addressing cybersecurity vulnerabilities, businesses can enhance their resilience against evolving threats in the digital landscape.