Attackers are actively exploiting Apache Tomcat servers by leveraging CVE-2025-24813, a newly disclosed vulnerability that, if successfully exploited, could enable remote code execution (RCE). GreyNoise has identified multiple IPs engaging in this activity across multiple regions.
Fortunately, GreyNoise can confirm exploit traffic is currently limited to naive attackers utilizing PoC code.
We created a new CVE-2025-24813 tag to help defenders track this activity.
Active Exploitation Detected
GreyNoise has observed four unique IPs attempting to exploit this vulnerability since March 17, 2025. Attackers are leveraging a partial PUT method to inject malicious payloads, potentially leading to arbitrary code execution on vulnerable systems.
Exploitation is already underway, with attack attempts spanning multiple countries. Given Apache Tomcat’s widespread deployment, these early signs of activity suggest more exploitation is likely to follow.
Geographic Distribution
Targeted Regions
The majority of exploit attempts targeted systems in the United States, Japan, India, South Korea, and Mexico, with over 70% of sessions directed at U.S.-based systems.
Attack Origin
GreyNoise observed exploitation attempts as early as March 11, though this activity is not reflected in the GreyNoise Visualizer.
Within the visualizer, we first observed exploit attempts from a Latvia-based IP on March 18, followed by separate attempts on March 19 from IPs traced to Italy, the United States, and China. Notably, the Latvia-based IP showed no further activity after March 18, and the two IPs traced to Latvia and Italy are linked to a known VPN service.
Today, GreyNoise observed another exploit attempt from the U.S.-based IP. Both IPs from China and the United States are not spoofable.
Mitigations & Recommendations
To protect against CVE-2025-24813, organizations running affected versions of Apache Tomcat should:
- Apply the latest security patches immediately.
- Monitor for unexpected PUT requests in web server logs.
- Deploy WAF rules to block malicious payloads.
- Use GreyNoise to track real-time exploitation activity and block malicious IPs.
Organizations should immediately assess their Apache Tomcat deployments and apply patches to mitigate potential RCE risks.
GreyNoise is actively tracking this activity in real time — defenders can access our latest intelligence to block malicious IPs.
— — —
Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.
