Threat intelligence firm GreyNoise has warned of a “coordinated brute-force activity” targeting Apache Tomcat Manager interfaces.
The company said it observed a surge in brute-force and login attempts on June 5, 2025, an indication that they could be deliberate efforts to “identify and access exposed Tomcat services at scale.”
To that end, 295 unique IP addresses have been found to be engaged in brute-force attempts against Tomcat Manager on that date, with all of them classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, a majority of them located in the United States, the United Kingdom, Germany, the Netherlands, and Singapore.
In a similar vein, 298 unique IPs were observed conducting login attempts against Tomcat Manager instances. Of the 246 IP addresses flagged in the last 24 hours, all of them are categorized as malicious and originate from the same locations.
Targets of these attempts include the United States, the United Kingdom, Spain, Germany, India, and Brazil for the same time period. GreyNoise noted that a significant chunk of the activity came from infrastructure hosted by DigitalOcean (ASN 14061).
“While not tied to a specific vulnerability, this behavior highlights ongoing interest in exposed Tomcat services,” the company added. “Broad, opportunistic activity like this often serves as an early warning of future exploitation.”
To mitigate any potential risks, organizations with exposed Tomcat Manager interfaces are recommended to implement strong authentication and access restrictions, and monitor for any signs of suspicious activity.
The disclosure comes as Bitsight revealed that it found more than 40,000 security cameras openly accessible on the internet, potentially enabling anyone to access live video feeds captured by these devices over HTTP or Real-Time Streaming Protocol (RTSP). The exposures are concentrated in the United States, Japan, Austria, Czechia, and South Korea.
The telecommunications sector accounts for 79% of the exposed cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%), and government (1.2%).
The installations range from those installed in residences, offices, public transportation systems, and factory settings, inadvertently leaking sensitive information that could then be exploited for espionage, stalking, and extortion.
Users are advised to change default usernames and passwords, disable remote access if not required (or restrict access with firewalls and VPNs), and keep firmware up-to-date.
“These cameras – intended for security or convenience – have inadvertently become public windows into sensitive spaces, often without their owners’ knowledge,” security researcher João Cruz said in a report shared with The Hacker News.
“No matter the reason why one individual or organization needs this kind of device, the fact that anyone can buy one, plug it in, and start streaming with minimal setup is likely why this is still an ongoing threat.”
