GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale. 

Summary of Observed Activity

Tomcat Manager Brute Force Attempt

  • 250 unique IPs observed 
  • Baseline range: 1-15 IPs
  • All classified as malicious 

BLOCK MALICIOUS IPS

Tomcat Manager Login Attempt

  • 298 unique IPs observed 
  • Baseline range: 10-40 IPs
  • 99.7% classified as malicious 

BLOCK MALICIOUS IPS

Summary of Observed Activity

Roughly 400 unique IPs were involved in the activity observed across both tags during this period of elevated activity. Most of the activity originating from these IPs exhibited a narrow focus on Tomcat services. 

A significant portion of this activity originated from infrastructure hosted by DigitalOcean (ASN 14061). 

Recommendations for Defenders

Immediately block the malicious IPs engaged in this activity.

BLOCK MALICIOUS IPS: Brute Force Attempt BLOCK MALICIOUS IPS: Login Attempt

While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning of future exploitation.  

Organizations with Tomcat Manager interfaces accessible over the internet should verify that strong authentication and access restrictions are in place. Reviewing recent login activity for anomalies is also advised. 

GreyNoise will continue monitoring for shifts in behavior or signs of follow-on exploitation. Subscribe to the GreyNoise Blog for updates. 

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

— — —

Stone is Head of Content at GreyNoise Intelligence, where he leads strategic content initiatives that illuminate the complexities of internet noise and threat intelligence. In past roles, he led partnered research initiatives with Google and the U.S. Department of Homeland Security. With a background in finance, technology, and engagement with the United Nations on global topics, Stone brings a multidimensional perspective to cybersecurity. He is also affiliated with the Council on Foreign Relations.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account