Dive Brief:

• Researchers from GreyNoise on Thursday reported active exploitation of CVE-2025-24813, a critical remote code execution vulnerability in Apache Tomcat web server software. The path equivalency flaw, which was first disclosed on March 10, affects several versions of the open source software, including 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34 and 9.0.0.M1 to 9.0.98.
• Exploitation activity was first reported by cybersecurity startup Wallarm on March 17 after a proof-of-concept exploit for "dead simple" attacks was published on a Chinese forum.
• Some security researchers and vendors noted that successful exploitation of the Apache Tomcat vulnerability requires specific, non-default configurations that appear to be uncommon.

Dive Insight:

GreyNoise said it observed four unique IP addresses attempting to exploit CVE-2025-24813, but noted that the malicious activity was currently stemming from "naive attackers" using a PoC exploit. "Attackers are leveraging a partial PUT method to inject malicious payloads, potentially leading to arbitrary code execution on vulnerable systems," Noah Stone, head of content at GreyNoise Intelligence, wrote.

Stone added that 70% of the activity was directed at U.S.-based Apache Tomcat instances, with attacks targeting servers in Japan, India, South Korea and Mexico. "Given Apache Tomcat's widespread deployment, these early signs of activity suggest more exploitation is likely to follow," Stone said.

Cloudflare also published a blog post on Thursday that detailed attack traffic targeting CVE-2025-24813. "Most of the observed attack payloads are vulnerability probes designed to help attackers determine whether the target server is vulnerable," the post said.

However, Cloudflare noted that achieving remote code execution against vulnerable Apache Tomcat servers requires a "robust" set of conditions, including support for partial PUT requests. Additionally, Cloudflare said attackers must have familiarity with an organization's internal file naming conventions for the web server as well as the directory structure of the target’s file system.

Caitlin Condon, director of vulnerability intelligence at Rapid7, also said there are several requirements for exploitation. For example, she noted in a blog post that organizations must enable writes for the default servlet for attacks to be successful. "Based on our analysis and those of other research firms, the conditions required for successful exploitation appear to be specific, non-default, and uncommon," Condon wrote, adding that broad exploitation is unlikely because of these requirements.

In a statement to Cybersecurity Dive, the GreyNoise research team said it does not have visibility into the configurations of vulnerable Apache Tomcat servers so they can't assess whether the required conditions are present for full RCE attacks. "GreyNoise telemetry captures exploitation attempts, but not whether those attempts were successful," the research team said. "Fortunately, the payloads we observed were consistent with public proof-of-concept code and appeared to be deployed by inexperienced actors, with no indication of a coordinated or advanced campaign."

Editor’s Note: This story has been updated with a statement from GreyNoise.