Threat intelligence company Greynoise warns about “tweaked brute force activity” that targets the interface of the Apache Tomcat manager.
The company said brute force and login attempts surged on June 5, 2025, indicating that this could lead to a cautious effort to “identify and access large-scale exposed Tomcat services.”
To this end, 295 unique IP addresses are known to be engaged in brute force attempts on the Tomcat manager that day, all of which are classified as malicious. Over the past 24 hours, 188 unique IPs have been recorded, most of which have been in the US, UK, Germany, the Netherlands and Singapore.
Similarly, it was observed that 298 unique IPs perform login attempts to the Tomcat Manager instance. Of the 246 IP addresses flagged in the last 24 hours, they are all categorized as malicious and originated from the same location.
Targets for these attempts include the US, UK, Spain, Germany, India and Brazil over the same period. Greynoise pointed out that a significant portion of the activity came from the infrastructure hosted by DigitalOcean (ASN 14061).
“While not linked to any particular vulnerabilities, this action highlights the continued interest in exposed Tomcat services,” the company added. “This wide range of opportunistic activities often serve as early warnings of future exploitation.”
Organizations with exposed Tomcat manager interfaces are recommended to implement strong authentication and access restrictions to mitigate potential risks and monitor for indications of suspicious activity.
This disclosure comes as BitSight reveals that over 40,000 security cameras have open access over the Internet, and could potentially access live video feeds captured by these devices via HTTP or Real-Time Streaming Protocol (RTSP). This exposure is concentrated in the US, Japan, Austria, the Czech Republic and South Korea.
The telecommunications sector accounts for 79% of exposed cameras, followed by technology (6%), media (4.1%), utilities (2.5%), education (2.2%), business services (2.2%) and government (1.2%).
Equipment can inadvertently leak sensitive information from those installed in residential, office, public transport and factory settings, and can then be misused for spying, stalking or extortion.
Users are advised to change their default username and password and disable remote access if not required (or restrict access using a firewall and VPN) to keep the firmware up to date.
“For security or convenience purposes, these cameras are often windows open to sensitive spaces that are often unfamiliar with the owner,” security researcher Joan Cruz said in a report shared with hacker news.
“The fact that anyone can buy, plug in, and start streaming with minimal setup, regardless of why a single individual or organization needs this kind of device, is likely a threat that is still ongoing.”
