A widespread and coordinated cyber campaign is actively targeting Apache Tomcat Manager interfaces exposed to the internet, according to threat intelligence company GreyNoise. The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
Apache Tomcat is a widely used open-source web server platform, popular among enterprises and SaaS providers for hosting and managing Java-based web applications. Its accompanying Tomcat Manager is a web-based administration console designed for deploying and managing these applications. While Tomcat Manager is configured by default to restrict access to localhost (127.0.0.1) and lacks preset credentials, misconfigured or intentionally exposed interfaces are proving to be a valuable target for attackers.
GreyNoise analysts have tracked two separate yet coordinated campaigns. The first wave involved nearly 300 unique IP addresses, most of which were tagged as malicious, targeting exposed Tomcat Manager interfaces. A second, parallel campaign saw 250 additional IPs engage in brute-force attacks.
“Roughly 400 unique IPs were involved in the activity observed across both tags during this period of elevated activity,” GreyNoise said in its report. “Most of the activity originating from these IPs exhibited a narrow focus on Tomcat services. A significant portion of this activity originated from infrastructure hosted by DigitalOcean (ASN 14061).”
“While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services. Broad, opportunistic activity like this often serves as an early warning of future exploitation,” the company added.
Organizations running Tomcat Manager vulnerable interfaces should ensure strong authentication mechanisms and strict access controls are implemented. It's also recommended to regularly review login activity for any signs of suspicious or unauthorized access.
