Coordinated Brute Force Activity Targeting Apache Tomcat Manager Indicates Possible Upcoming Threats

GreyNoise has identified a significant surge in coordinated brute force activity targeting Apache Tomcat Manager interfaces globally. Observed on June 5, 2025, this campaign involves elevated volumes of login attempts aimed at compromising exposed management services. While no specific threat actor or malware family has been attributed yet, the scale suggests an organized effort to gain initial access for potential downstream exploitation. Organizations utilizing Apache Tomcat should immediately audit exposed manager interfaces, enforce strong authentication mechanisms, and implement network segmentation to restrict access. Monitoring for successful login anomalies is critical. This activity represents a precursor to potential ransomware or data exfiltration operations. Immediate mitigation involves disabling unnecessary manager instances and applying multi-factor authentication to prevent credential stuffing success. Security teams should treat this spike as an active threat campaign requiring heightened vigilance.

GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale.

GreyNoise has identified a significant surge in coordinated brute force activity targeting Apache Tomcat Manager interfaces globally. Observed on June 5, 2025, this campaign involves elevated volumes of login attempts aimed at compromising exposed management services. While no specific threat actor or malware family has been attributed yet, the scale suggests an organized effort to gain initial access for potential downstream exploitation. Organizations utilizing Apache Tomcat should immediately audit exposed manager interfaces, enforce strong authentication mechanisms, and implement network segmentation to restrict access. Monitoring for successful login anomalies is critical. This activity represents a precursor to potential ransomware or data exfiltration operations. Immediate mitigation involves disabling unnecessary manager instances and applying multi-factor authentication to prevent credential stuffing success. Security teams should treat this spike as an active threat campaign requiring heightened vigilance. GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale. GreyNoise recently observed a coordinated spike in malicious activity against Apache Tomcat Manager interfaces. On June 5, 2025, two GreyNoise tags — Tomcat Manager Brute Force Attempt and Tomcat Manager Login Attempt — registered well above baseline volumes, indicating a deliberate attempt to identify and access exposed Tomcat services at scale.