ASF
Company Details
Linkedin ID:
the-apache-software-foundation
Website:
Employees number:
2,164
Number of followers:
78,773
NAICS:
5112
Industry Type:
Homepage:
apache.org
IP Addresses:
0
Company ID:
THE_1560853
Scan Status:
In-progress
The Apache Software Foundation Company CyberSecurity Posture
apache.org
The Apache Software Foundation (ASF) is the global home for open source software, powering some of the world’s most ubiquitous software projects including Apache Airflow, Apache Camel, Apache Cassandra, Apache Groovy, Apache HTTP Server, and Apache Kafka. Established in 1999, The ASF is at the forefront of open source innovation, setting industry standards to advance software for the public good. We sustain open source projects in perpetuity, empowering developers to build communities that endure. Everything we do is open. Everyone is welcome. Learn more at https://apache.org. ASF’s annual Community Over Code event is where open source technologists convene to share best practices and use cases, forge critical relationships, and learn about advancements in their field. https://communityovercode.org/
The Apache Software Foundation A.I CyberSecurity Scoring
ASF Risk Score (AI oriented)Between 600 and 649
ASF
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
ASF Global Score (TPRM)XXXX
ASF
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
ASF Company CyberSecurity News & History
Past Incidents
12
Attack Types
2
Apache Software Foundation (Apache OpenOffice)
Ransomware
Rankiteo Explanation
Attack with significant impact with internal employee data leaks
Description: The Akira ransomware group claims to have breached **Apache OpenOffice**, stealing **23GB of sensitive data**, including **employee records** (physical addresses, phone numbers, driver’s licenses, social security cards, credit card details), **financial records**, **internal confidential files**, and **problem reports** related to the application. The group threatens to leak the data publicly on its dark web site. While the breach remains **unverified** by the Apache Software Foundation, the potential exposure of **employee PII (Personally Identifiable Information)** and **internal corporate documents** poses a significant risk. The attack does not appear to impact **end-users** or the **OpenOffice software distribution system**, as the download infrastructure is separate from the compromised development servers. Akira, a **ransomware-as-a-service (RaaS)** group known for **double extortion** (data theft + encryption), has targeted organizations globally, earning millions in ransom payments. The group’s claim suggests a **targeted breach** aimed at extorting the foundation by leveraging stolen employee and financial data.
Apache
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: A newly disclosed flaw in Apache Tomcat’s Coyote engine, tracked as CVE-2025-53506, has been identified. The vulnerability allows a remote attacker to exhaust the server’s thread pool and force the container into a prolonged denial-of-service state by repeatedly initiating streams that are never closed. This issue affects various maintained branches and has been scored 6.3 by CVSS v4. Modern reverse proxies can mitigate the attack by enforcing a SETTINGS-ack timeout or hard stream ceiling until full patch deployment.
Apache Software Foundation
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: Multiple critical security vulnerabilities in Apache Tomcat web servers were discovered, including high-severity flaws enabling denial-of-service (DoS) attacks and a moderate-severity vulnerability allowing authentication bypass. These vulnerabilities, identified as CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, and CVE-2025-49125, affect millions of web applications worldwide running on affected Tomcat versions spanning from 9.0.x to 11.0.x series. The vulnerabilities were reported on June 16, 2025, and immediate patches are available across all affected version branches.
Apache Software Foundation
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: A critical **CVE-2025-48989** vulnerability, dubbed *‘Made You Reset’*, was discovered in **Apache Tomcat’s HTTP/2 implementation**, enabling attackers to execute **devastating denial-of-service (DoS) attacks** by exploiting memory exhaustion flaws. The flaw affects **Tomcat versions 9.0.0–11.0.9**, risking crashes in thousands of global web servers. Attackers manipulate **HTTP/2 stream resets**, forcing servers into an *OutOfMemoryError* state, rendering them unresponsive. The vulnerability requires **no authentication**, only network access to send malicious requests. While patches (Tomcat **11.0.10, 10.1.44, 9.0.108+**) were released, unpatched systems remain exposed to **service outages, financial losses from downtime, and reputational damage**. Older end-of-life versions may also be vulnerable, amplifying risks for organizations relying on legacy infrastructure. The attack leverages **HTTP/2 multiplexing** to overwhelm memory pools, disrupting business-critical applications. Mitigations include **urgent upgrades, rate limiting, and monitoring for abnormal memory spikes** to prevent exploitation.
Apache
Vulnerability
Rankiteo Explanation
Attack limited on finance or reputation
Description: A severe vulnerability in Apache bRPC (CVE-2025-54472) allows attackers to crash services by exploiting unlimited memory allocation in the Redis protocol parser. This affects all versions prior to 1.14.1. Attackers can send crafted packets with large integers, triggering memory allocation failures and causing immediate service termination. The vulnerability is particularly dangerous for internet-facing deployments, as it requires only network access. While version 1.14.0 attempted to fix the issue, a critical flaw left it vulnerable. Organizations are advised to upgrade to version 1.14.1 or apply the security patch to mitigate the risk.
The Apache Software Foundation
Vulnerability
Rankiteo Explanation
Attack without any consequences
Description: A critical vulnerability identified as CVE-2024-53868 was discovered in Apache Traffic Server, potentially leading to cache poisoning, security control bypass, and session hijacking. The flaw relates to improper handling of HTTP chunked transfer encoding, where attackers can exploit malformed chunked messages to perform request smuggling attacks. Although the vulnerability has a CVSS score of 6.5, denoting a medium severity level, its exploitation could lead to data exposure and inconsistent request handling. Organizations using the affected versions are advised to upgrade and implement security measures to safeguard their systems.
Apache
Vulnerability
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: A significant security vulnerability (CVE-2025-32896) was disclosed in Apache SeaTunnel, a widely used distributed data integration platform. This flaw allows unauthorized users to execute arbitrary file read operations and deserialization attacks, potentially leading to remote code execution (RCE). The vulnerability affects versions 2.3.1 through 2.3.10 and was reported on April 12, 2025. The flaw stems from insufficient access controls in the RESTful API-v1 implementation, specifically targeting the /hazelcast/rest/maps/submit-job endpoint. This vulnerability is particularly dangerous as it can allow attackers to gain control over the affected SeaTunnel instance.
Apache Tomcat
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: A critical denial-of-service vulnerability in Apache Tomcat has been publicly exposed, affecting servers running versions 10.1.10 through 10.1.39. The exploit, designated as CVE-2025-31650, leverages malformed HTTP/2 priority headers to cause memory exhaustion on vulnerable Tomcat instances. This vulnerability, if exploited, can lead to complete service disruption, overwhelming even well-provisioned servers through sustained memory exhaustion.
Apache Software Foundation
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A critical deserialization vulnerability (CVE-2025-46762) was disclosed in Apache Parquet Java’s parquet-avro module, affecting all versions through 1.15.1. The flaw allows an attacker supplying a crafted Parquet file with a malicious Avro schema to execute arbitrary code on any system that uses the “specific” or “reflect” Avro models for reading data. This impacts big data processing frameworks—such as Hadoop, Spark, and Flink—that rely on Parquet for high-performance columnar storage and retrieval. Exploitation can lead to full system compromise, unauthorized access to sensitive data, disruption of analytics pipelines, and potential lateral movement within enterprise networks. Although version 1.15.1 included a partial fix, the default trusted‐packages setting remained permissive, leaving the vulnerability exploitable. Organizations that process untrusted Parquet files without proper restrictions face the risk of supply‐chain attacks, malware deployment, and critical service outages. Immediate remediation requires upgrading to Parquet Java 1.15.2 or setting the org.apache.parquet.avro.SERIALIZABLE_PACKAGES property to an empty string to block execution of untrusted classes. Failure to address this issue could result in severe operational and reputational damage.
Apache Software
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: Apache Software has disclosed a critical RCE flaw in their widely-used Tomcat web container. Threat actors, exploiting a public PoC, can compromise and gain control over vulnerable servers with a simple PUT API request. This attack has significant implications as it could allow unauthorized access to sensitive data, disruption of services, and potential hijacking of systems. The exploitation of this vulnerability can result in data breaches, operational downtime, and severe security ramifications for enterprises relying on Apache Tomcat for their Java-based web applications.
Apache Software Foundation
Vulnerability
Rankiteo Explanation
Attack threatening the organization’s existence
Description: A critical vulnerability, CVE-2024-56325, in Apache Pinot has been disclosed with a CVSS score of 9.8 for allowing authentication bypass. Organizations utilizing Apache Pinot prior to version 1.3.0 are at risk of unauthorized data access, record injection, or service disruption. This flaw affects real-time analytics dashboards, financial monitoring, and IoT data processing. Given the remote exploitability and impact on confidentiality, integrity, and availability, immediate system upgrades and auditing for suspicious access patterns are imperative. This vulnerability emphasizes the need for robust defense strategies and software composition analysis tools in handling authentication in distributed systems.
Apache Foundation
Vulnerability
Rankiteo Explanation
Attack threatening the organization's existence
Description: The Opossum attack exploits a sophisticated cross-protocol application layer desynchronization vulnerability that compromises TLS-based communications. This attack affects critical protocols including HTTP, FTP, POP3, SMTP, LMTP, and NNTP. By leveraging man-in-the-middle positioning, attackers can inject unexpected messages into secure channels, causing persistent desynchronization between clients and servers and breaking the integrity assumptions of encrypted communications. This vulnerability enables session hijacking, content manipulation, and XSS attacks, posing a significant threat to the organization's security.
ASF Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for ASF
Incidents vs Software Development Industry Average (This Year)
The Apache Software Foundation has 2172.73% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
The Apache Software Foundation has 1462.5% more incidents than the average of all companies with at least one recorded incident.
Incident Types ASF vs Software Development Industry Avg (This Year)
The Apache Software Foundation reported 10 incidents this year: 0 cyber attacks, 1 ransomware, 9 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — ASF (X = Date, Y = Severity)
ASF cyber incidents detection timeline including parent company and subsidiaries
ASF Company Subsidiaries
The Apache Software Foundation (ASF) is the global home for open source software, powering some of the world’s most ubiquitous software projects including Apache Airflow, Apache Camel, Apache Cassandra, Apache Groovy, Apache HTTP Server, and Apache Kafka. Established in 1999, The ASF is at the forefront of open source innovation, setting industry standards to advance software for the public good. We sustain open source projects in perpetuity, empowering developers to build communities that endure. Everything we do is open. Everyone is welcome. Learn more at https://apache.org. ASF’s annual Community Over Code event is where open source technologists convene to share best practices and use cases, forge critical relationships, and learn about advancements in their field. https://communityovercode.org/
Loading...
ASF Similar Companies
Adobe
Adobe is the global leader in digital media and digital marketing solutions. Our creative, marketing and document solutions empower everyone – from emerging artists to global brands – to bring digital creations to life and deliver immersive, compelling experiences to the right person at the right mo
Meituan
Adhering to the ‘Retail + Technology’ strategy, Meituan commits to its mission that 'We help people eat better, live better'. Since its establishment in March 2010, Meituan has advanced the digital upgrading of services and goods retail on both supply and demand sides. Together with our partners we
ServiceNow
ServiceNow (NYSE: NOW) makes the world work better for everyone. Our cloud-based platform and solutions help digitize and unify organizations so that they can find smarter, faster, better ways to make work flow. So employees and customers can be more connected, more innovative, and more agile. And w
Amazon is guided by four principles: customer obsession rather than competitor focus, passion for invention, commitment to operational excellence, and long-term thinking. We are driven by the excitement of building technologies, inventing products, and providing services that change lives. We embrac
More than one billion people around the world use Instagram, and we’re proud to be bringing them closer to the people and things they love. Instagram inspires people to see the world differently, discover new interests, and express themselves. Since launching in 2010, our community has grown at a r
Shopee
Shopee is the leading e-commerce platform in Southeast Asia and Taiwan. It is a platform tailored for the region, providing customers with an easy, secure and fast online shopping experience through strong payment and logistical support. Shopee aims to continually enhance its platform and become th
Cisco
Cisco is the worldwide technology leader that is revolutionizing the way organizations connect and protect in the AI era. For more than 40 years, Cisco has securely connected the world. With its industry leading AI-powered solutions and services, Cisco enables its customers, partners and communities
Walmart Global Tech
Walmart has a long history of transforming retail and using technology to deliver innovations that improve how the world shops and empower our 2.1 million associates. It began with Sam Walton and continues today with Global Tech associates working together to power Walmart and lead the next retail d
Booking.com
A career at Booking.com is all about the journey, helping you explore new challenges in a place where you can be your best self. With plenty of exciting twists, turns and opportunities along the way. We’ve always been pioneers, on a mission to shape the future of travel through cutting edge techno
.png)
ASF CyberSecurity News
November 14, 2025 03:40 PM
ASF Rejects Akira Breach Claims Against Apache OpenOffice
On October 30, 2025, Akira published a post on its data leak site asserting that it had compromised Apache OpenOffice and exfiltrated 23 GB...
November 10, 2025 05:37 PM
Akira Ransomware Claims 23GB Data Theft in Alleged Apache OpenOffice Breach
The Akira ransomware group has reportedly claimed responsibility for breaching Apache OpenOffice, asserting that it stole 23 gigabytes of...
November 06, 2025 08:00 AM
Apache OpenOffice under ransomware attack, but the foundation disputes
The Akira ransomware group claims to have stolen 23 GB of data from Apache OpenOffice, but the foundation disputes the attack and denies the...
November 04, 2025 08:00 AM
Apache OpenOffice disputes data breach claims by ransomware gang
The Apache Software Foundation disputes claims that its OpenOffice project suffered an Akira ransomware attack, after the threat actors...
November 01, 2025 07:00 AM
Akira Ransomware Strikes Apache OpenOffice, Allegedly Exfiltrates 23GB of Data
The notorious Akira ransomware group announced on October 29, 2025, that it successfully breached the systems of Apache OpenOffice.
November 01, 2025 07:00 AM
Akira Ransomware Allegedly Claims Theft of 23GB in Apache OpenOffice Breach
The notorious Akira ransomware group announced on October 29, 2025, that it successfully breached the systems of Apache OpenOffice,...
November 01, 2025 07:00 AM
Akira Ransomware Steals 23GB in Apache OpenOffice Hack
Akira ransomware allegedly steals 23GB of data in a major Apache OpenOffice hack, raising serious concerns over cybersecurity and data...
October 30, 2025 07:00 AM
Akira Ransomware Claims It Stole 23GB from Apache OpenOffice
The Akira ransomware group claims to have breached Apache OpenOffice and stolen 23GB of data. Apache OpenOffice, for those unfamiliar,...
October 28, 2025 07:00 AM
Apache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks
The Apache Software Foundation has highlighted critical flaws in Apache Tomcat, a widely used open-source Java servlet container that powers...
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
ASF CyberSecurity History Information
Official Website of The Apache Software Foundation
The official website of The Apache Software Foundation is https://www.apache.org.
The Apache Software Foundation’s AI-Generated Cybersecurity Score
According to Rankiteo, The Apache Software Foundation’s AI-generated cybersecurity score is 618, reflecting their Poor security posture.
How many security badges does The Apache Software Foundation’ have ?
According to Rankiteo, The Apache Software Foundation currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does The Apache Software Foundation have SOC 2 Type 1 certification ?
According to Rankiteo, The Apache Software Foundation is not certified under SOC 2 Type 1.
Does The Apache Software Foundation have SOC 2 Type 2 certification ?
According to Rankiteo, The Apache Software Foundation does not hold a SOC 2 Type 2 certification.
Does The Apache Software Foundation comply with GDPR ?
According to Rankiteo, The Apache Software Foundation is not listed as GDPR compliant.
Does The Apache Software Foundation have PCI DSS certification ?
According to Rankiteo, The Apache Software Foundation does not currently maintain PCI DSS compliance.
Does The Apache Software Foundation comply with HIPAA ?
According to Rankiteo, The Apache Software Foundation is not compliant with HIPAA regulations.
Does The Apache Software Foundation have ISO 27001 certification ?
According to Rankiteo,The Apache Software Foundation is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of The Apache Software Foundation
The Apache Software Foundation operates primarily in the Software Development industry.
Number of Employees at The Apache Software Foundation
The Apache Software Foundation employs approximately 2,164 people worldwide.
Subsidiaries Owned by The Apache Software Foundation
The Apache Software Foundation presently has no subsidiaries across any sectors.
The Apache Software Foundation’s LinkedIn Followers
The Apache Software Foundation’s official LinkedIn profile has approximately 78,773 followers.
NAICS Classification of The Apache Software Foundation
The Apache Software Foundation is classified under the NAICS code 5112, which corresponds to Software Publishers.
The Apache Software Foundation’s Presence on Crunchbase
No, The Apache Software Foundation does not have a profile on Crunchbase.
The Apache Software Foundation’s Presence on LinkedIn
Yes, The Apache Software Foundation maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/the-apache-software-foundation.
Cybersecurity Incidents Involving The Apache Software Foundation
As of November 28, 2025, Rankiteo reports that The Apache Software Foundation has experienced 12 cybersecurity incidents.
Number of Peer and Competitor Companies
The Apache Software Foundation has an estimated 26,624 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at The Apache Software Foundation ?
Incident Types: The types of cybersecurity incidents that have occurred include Ransomware and Vulnerability.
How does The Apache Software Foundation detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with immediate system upgrades, remediation measures with auditing for suspicious access patterns, and remediation measures with upgrade and implement security measures, and containment measures with upgrade to parquet java 1.15.2, containment measures with set org.apache.parquet.avro.serializable_packages to an empty string, and containment measures with upgrade to patched releases, rate limiting for http/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling http/2 support temporarily, and remediation measures with upgrade to patched releases, rate limiting for http/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling http/2 support temporarily, and enhanced monitoring with rate limiting for http/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, and remediation measures with immediate patches available across all affected version branches, and containment measures with upgrade to version 2.3.11, enable restful api-v2, implement https two-way authentication, and remediation measures with upgrade to version 2.3.11, enable restful api-v2, implement https two-way authentication, and remediation measures with disable opportunistic tls, remediation measures with use implicit tls only, and containment measures with disable http/2, containment measures with limit maxconcurrentstreams at the reverse-proxy layer, and remediation measures with upgrade to patched versions, remediation measures with enforce settings-ack timeout or hard stream ceiling, and remediation measures with upgrade to apache brpc version 1.14.1, remediation measures with apply the available security patch, and containment measures with monitoring for unusual memory consumption patterns, containment measures with network-level protections (rate limiting, connection throttling), and remediation measures with immediate upgrade to patched versions (tomcat 11.0.10, 10.1.44, or 9.0.108+), and communication strategy with public disclosure by security researchers (tel aviv university), communication strategy with advisories from apache software foundation, and enhanced monitoring with monitoring for http/2-based attacks, enhanced monitoring with tracking memory usage anomalies, and communication strategy with apache software foundation has not issued a public statement; media (hackread.com) has reached out for comment...
Incident Details
Can you provide details on each incident ?
Title: Critical Vulnerability in Apache Pinot (CVE-2024-56325)
Description: A critical vulnerability, CVE-2024-56325, in Apache Pinot has been disclosed with a CVSS score of 9.8 for allowing authentication bypass. Organizations utilizing Apache Pinot prior to version 1.3.0 are at risk of unauthorized data access, record injection, or service disruption. This flaw affects real-time analytics dashboards, financial monitoring, and IoT data processing. Given the remote exploitability and impact on confidentiality, integrity, and availability, immediate system upgrades and auditing for suspicious access patterns are imperative. This vulnerability emphasizes the need for robust defense strategies and software composition analysis tools in handling authentication in distributed systems.
Type: Vulnerability Exploit
Attack Vector: Authentication Bypass
Vulnerability Exploited: CVE-2024-56325
Title: Critical RCE Flaw in Apache Tomcat
Description: Apache Software has disclosed a critical RCE flaw in their widely-used Tomcat web container. Threat actors, exploiting a public PoC, can compromise and gain control over vulnerable servers with a simple PUT API request. This attack has significant implications as it could allow unauthorized access to sensitive data, disruption of services, and potential hijacking of systems. The exploitation of this vulnerability can result in data breaches, operational downtime, and severe security ramifications for enterprises relying on Apache Tomcat for their Java-based web applications.
Type: Remote Code Execution (RCE)
Attack Vector: Exploitation of Public PoC
Vulnerability Exploited: Critical RCE flaw in Apache Tomcat
Motivation: Unauthorized access to sensitive data, disruption of services, potential hijacking of systems
Title: CVE-2024-53868 in Apache Traffic Server
Description: A critical vulnerability identified as CVE-2024-53868 was discovered in Apache Traffic Server, potentially leading to cache poisoning, security control bypass, and session hijacking. The flaw relates to improper handling of HTTP chunked transfer encoding, where attackers can exploit malformed chunked messages to perform request smuggling attacks. Although the vulnerability has a CVSS score of 6.5, denoting a medium severity level, its exploitation could lead to data exposure and inconsistent request handling. Organizations using the affected versions are advised to upgrade and implement security measures to safeguard their systems.
Type: Vulnerability
Attack Vector: HTTP chunked transfer encoding
Vulnerability Exploited: CVE-2024-53868
Title: Critical Deserialization Vulnerability in Apache Parquet Java
Description: A critical deserialization vulnerability (CVE-2025-46762) was disclosed in Apache Parquet Java’s parquet-avro module, affecting all versions through 1.15.1. The flaw allows an attacker supplying a crafted Parquet file with a malicious Avro schema to execute arbitrary code on any system that uses the “specific” or “reflect” Avro models for reading data. This impacts big data processing frameworks—such as Hadoop, Spark, and Flink—that rely on Parquet for high-performance columnar storage and retrieval. Exploitation can lead to full system compromise, unauthorized access to sensitive data, disruption of analytics pipelines, and potential lateral movement within enterprise networks. Although version 1.15.1 included a partial fix, the default trusted‐packages setting remained permissive, leaving the vulnerability exploitable. Organizations that process untrusted Parquet files without proper restrictions face the risk of supply‐chain attacks, malware deployment, and critical service outages. Immediate remediation requires upgrading to Parquet Java 1.15.2 or setting the org.apache.parquet.avro.SERIALIZABLE_PACKAGES property to an empty string to block execution of untrusted classes. Failure to address this issue could result in severe operational and reputational damage.
Type: Vulnerability Exploitation
Attack Vector: Deserialization of untrusted data
Vulnerability Exploited: CVE-2025-46762
Motivation: System compromiseData theftDisruption of servicesLateral movement
Title: Critical Denial-of-Service Vulnerability in Apache Tomcat
Description: A proof-of-concept exploit targeting a critical denial-of-service vulnerability in Apache Tomcat has been publicly released, exposing servers running versions 10.1.10 through 10.1.39 to potential attacks. The exploit, designated as CVE-2025-31650, leverages malformed HTTP/2 priority headers to cause memory exhaustion on vulnerable Tomcat instances.
Date Detected: 2025-06-05
Date Publicly Disclosed: 2025-06-05
Type: Denial-of-Service
Attack Vector: Malformed HTTP/2 priority headers
Vulnerability Exploited: CVE-2025-31650
Threat Actor: Security researcher Abdualhadi Khalifa
Motivation: Security research and public disclosure
Title: Multiple Critical Security Vulnerabilities in Apache Tomcat
Description: Multiple critical security vulnerabilities affecting Apache Tomcat web servers, including two high-severity flaws enabling denial-of-service (DoS) attacks and one moderate-severity vulnerability allowing authentication bypass.
Date Detected: 2025-06-16
Date Publicly Disclosed: 2025-06-16
Type: Vulnerability Exploitation
Attack Vector: Memory Exhaustion via Multipart Header ExploitationMultipart Upload Resource ExhaustionWindows Installer Side-Loading RiskSecurity Constraint Bypass in Resource Mounting
Vulnerability Exploited: CVE-2025-48976CVE-2025-48988CVE-2025-49124CVE-2025-49125
Title: Apache SeaTunnel RESTful API Vulnerability
Description: A significant security vulnerability in Apache SeaTunnel enables unauthorized users to execute arbitrary file read operations and deserialization attacks through its RESTful API interface.
Date Detected: 2025-04-12
Date Publicly Disclosed: 2025-04-12
Type: Remote Code Execution (RCE)
Attack Vector: Insufficient access controls in the RESTful API-v1 implementation, specifically the /hazelcast/rest/maps/submit-job endpoint.
Vulnerability Exploited: CVE-2025-32896
Motivation: Unauthorized access to sensitive system resources and remote code execution.
Title: Opossum Attack
Description: The Opossum attack is a sophisticated cross-protocol application layer desynchronization vulnerability that compromises TLS-based communications by exploiting differences between implicit and opportunistic TLS implementations. It affects critical protocols including HTTP, FTP, POP3, SMTP, LMTP, and NNTP, and enables session hijacking, content manipulation, and XSS attacks.
Type: Cross-protocol Application Layer Desynchronization
Attack Vector: Man-in-the-Middle
Vulnerability Exploited: Implicit TLSOpportunistic TLS
Motivation: Session HijackingContent ManipulationXSS Attacks
Title: Apache Tomcat Coyote Engine Vulnerability CVE-2025-53506
Description: A flaw in Apache Tomcat’s Coyote engine allows a remote attacker to exhaust the server’s thread pool and force a denial-of-service state by exploiting a race condition in HTTP/2 stream handling.
Type: Denial of Service (DoS)
Attack Vector: Network
Vulnerability Exploited: CVE-2025-53506
Motivation: Disruption of service
Title: Apache bRPC Redis Protocol Parser Vulnerability
Description: A severe vulnerability in Apache bRPC has been discovered that allows attackers to crash services through network exploitation, affecting all versions prior to 1.14.1. The vulnerability, identified as CVE-2025-54472 with 'important' severity classification, stems from unlimited memory allocation in the Redis protocol parser component.
Type: Vulnerability
Attack Vector: Network exploitation
Vulnerability Exploited: CVE-2025-54472
Title: Apache Tomcat HTTP/2 'Made You Reset' Denial-of-Service Vulnerability (CVE-2025-48989)
Description: A critical security vulnerability in Apache Tomcat’s HTTP/2 implementation (CVE-2025-48989, dubbed 'Made You Reset') enables attackers to launch devastating denial-of-service (DoS) attacks by exploiting weaknesses in the connection reset mechanism. The flaw causes servers to exhaust memory resources, leading to OutOfMemoryError and unresponsiveness. It affects Apache Tomcat versions 11.0.0-M1 through 11.0.9, 10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107, along with potentially vulnerable older end-of-life (EOL) versions. The attack leverages HTTP/2 multiplexing to manipulate stream reset frames, forcing the server to maintain half-open connections and deplete memory.
Date Publicly Disclosed: 2025-08-13
Type: Vulnerability
Attack Vector: NetworkHTTP/2 Protocol ManipulationStream Reset Frames
Vulnerability Exploited: CVE-2025-48989 (HTTP/2 'Made You Reset' Memory Exhaustion)
Title: Alleged Akira Ransomware Breach of Apache OpenOffice
Description: The Akira ransomware group claims to have breached Apache OpenOffice, a free and open-source office software suite developed by the Apache Software Foundation, and stolen 23GB of sensitive data, including employee records (physical addresses, phone numbers, driver’s licenses, social security cards, credit card information), financial records, internal confidential files, and reports about application issues. The claim is unverified, and Apache has not confirmed the breach. If true, the breach could expose internal development data or contributor information, but end-users are unlikely to be directly affected as the download infrastructure remains separate.
Type: Data Breach
Threat Actor: Akira Ransomware Group
Motivation: Financial GainData TheftExtortion
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Vulnerability.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Simple PUT API request, HTTP/2 priority headers, /hazelcast/rest/maps/submit-job endpoint, Man-in-the-Middle and TCP port 443.
Impact of the Incidents
What was the impact of each incident ?
Incident : Vulnerability Exploit THE659030725
Systems Affected: Real-time analytics dashboardsFinancial monitoringIoT data processing
Incident : Remote Code Execution (RCE) THE318031825
Systems Affected: Vulnerable servers
Operational Impact: Operational downtime, severe security ramifications
Incident : Vulnerability THE718040425
Systems Affected: Apache Traffic Server
Incident : Vulnerability Exploitation THE300050525
Data Compromised: Sensitive data
Systems Affected: HadoopSparkFlink
Operational Impact: Disruption of analytics pipelines
Brand Reputation Impact: Severe reputational damage
Incident : Denial-of-Service THE951060625
Systems Affected: Apache Tomcat servers running versions 10.1.10 through 10.1.39
Operational Impact: Complete service disruption
Incident : Vulnerability Exploitation THE903061725
Systems Affected: Apache Tomcat web servers
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Systems Affected: HTTPFTPSMTPPOP3LMTPNNTP
Operational Impact: Persistent desynchronization between clients and servers
Incident : Denial of Service (DoS) THE754071625
Systems Affected: Apache Tomcat servers
Downtime: High
Operational Impact: High
Incident : Vulnerability THE207081225
Operational Impact: Denial of Service
Incident : Vulnerability THE738081425
Systems Affected: Apache Tomcat Servers (Versions 9.0.0-M1 to 11.0.9)Web Applications Relying on Affected Tomcat Instances
Downtime: ['Potential Extended Outages Due to OutOfMemoryError', 'Service Unavailability for Legitimate Users']
Operational Impact: Disruption of Web ServicesDegraded PerformanceResource Exhaustion
Brand Reputation Impact: Potential Loss of Trust in Affected ServicesNegative Publicity for Organizations Using Vulnerable Versions
Incident : Data Breach THE2202022103125
Data Compromised: Employee records (addresses, phones, dob, driver’s licenses, social security cards, credit card information), Financial records, Internal confidential files, Application problem reports
Brand Reputation Impact: Potential reputational damage if breach is confirmed
Identity Theft Risk: High (if employee PII is exposed)
Payment Information Risk: High (credit card information allegedly stolen)
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Employee Pii, Financial Records, Internal Confidential Files, Application Reports and .
Which entities were affected by each incident ?
Incident : Vulnerability Exploit THE659030725
Entity Name: Apache Pinot users
Entity Type: Organizations
Industry: Technology, Finance, IoT
Incident : Remote Code Execution (RCE) THE318031825
Entity Name: Apache Software
Entity Type: Software Company
Industry: Technology
Incident : Vulnerability THE718040425
Entity Name: Apache Traffic Server users
Entity Type: Organization
Incident : Vulnerability Exploitation THE300050525
Entity Type: Big data processing frameworks
Industry: Technology
Incident : Denial-of-Service THE951060625
Entity Name: Apache Tomcat
Entity Type: Software
Industry: Technology
Incident : Vulnerability Exploitation THE903061725
Entity Name: Apache Software Foundation
Entity Type: Organization
Industry: Software
Incident : Remote Code Execution (RCE) THE302062025
Entity Name: Apache SeaTunnel
Entity Type: Software Platform
Industry: Technology
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Entity Type: Server
Industry: Technology
Incident : Denial of Service (DoS) THE754071625
Entity Name: Apache Tomcat users
Entity Type: Software users
Industry: Various
Location: Global
Incident : Vulnerability THE207081225
Entity Name: Apache bRPC
Entity Type: Software
Industry: Technology
Incident : Vulnerability THE738081425
Entity Name: Apache Software Foundation
Entity Type: Open-Source Organization
Industry: Software Development
Location: Global
Customers Affected: Organizations Using Apache Tomcat (Potentially Thousands of Web Servers)
Incident : Data Breach THE2202022103125
Entity Name: Apache OpenOffice (Apache Software Foundation)
Entity Type: Non-profit Organization / Open-Source Project
Industry: Software Development
Location: Global (HQ: USA)
Customers Affected: None (end-users not directly impacted per current information)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Vulnerability Exploit THE659030725
Remediation Measures: Immediate system upgradesAuditing for suspicious access patterns
Incident : Vulnerability THE718040425
Remediation Measures: Upgrade and implement security measures
Incident : Vulnerability Exploitation THE300050525
Containment Measures: Upgrade to Parquet Java 1.15.2Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string
Incident : Denial-of-Service THE951060625
Containment Measures: Upgrade to patched releases, rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling HTTP/2 support temporarily
Remediation Measures: Upgrade to patched releases, rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling HTTP/2 support temporarily
Enhanced Monitoring: Rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts
Incident : Vulnerability Exploitation THE903061725
Remediation Measures: Immediate patches available across all affected version branches
Incident : Remote Code Execution (RCE) THE302062025
Containment Measures: Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication
Remediation Measures: Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Remediation Measures: Disable opportunistic TLSUse implicit TLS only
Incident : Denial of Service (DoS) THE754071625
Containment Measures: Disable HTTP/2Limit maxConcurrentStreams at the reverse-proxy layer
Remediation Measures: Upgrade to patched versionsEnforce SETTINGS-ack timeout or hard stream ceiling
Incident : Vulnerability THE207081225
Remediation Measures: Upgrade to Apache bRPC version 1.14.1Apply the available security patch
Incident : Vulnerability THE738081425
Containment Measures: Monitoring for Unusual Memory Consumption PatternsNetwork-Level Protections (Rate Limiting, Connection Throttling)
Remediation Measures: Immediate Upgrade to Patched Versions (Tomcat 11.0.10, 10.1.44, or 9.0.108+)
Communication Strategy: Public Disclosure by Security Researchers (Tel Aviv University)Advisories from Apache Software Foundation
Enhanced Monitoring: Monitoring for HTTP/2-Based AttacksTracking Memory Usage Anomalies
Incident : Data Breach THE2202022103125
Communication Strategy: Apache Software Foundation has not issued a public statement; media (Hackread.com) has reached out for comment.
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach THE2202022103125
Type of Data Compromised: Employee pii, Financial records, Internal confidential files, Application reports
Sensitivity of Data: High (includes PII, financial data, and internal documents)
Data Exfiltration: Claimed: 23GB of data stolen
Personally Identifiable Information: Physical addressesPhone numbersDates of birthDriver’s licensesSocial security cardsCredit card information
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Immediate system upgrades, Auditing for suspicious access patterns, , Upgrade and implement security measures, Upgrade to patched releases, rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling HTTP/2 support temporarily, Immediate patches available across all affected version branches, Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication, Disable opportunistic TLS, Use implicit TLS only, , Upgrade to patched versions, Enforce SETTINGS-ack timeout or hard stream ceiling, , Upgrade to Apache bRPC version 1.14.1, Apply the available security patch, , Immediate Upgrade to Patched Versions (Tomcat 11.0.10, 10.1.44, or 9.0.108+), .
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by upgrade to parquet java 1.15.2, set org.apache.parquet.avro.serializable_packages to an empty string, , upgrade to patched releases, rate limiting for http/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling http/2 support temporarily, upgrade to version 2.3.11, enable restful api-v2, implement https two-way authentication, disable http/2, limit maxconcurrentstreams at the reverse-proxy layer, , monitoring for unusual memory consumption patterns, network-level protections (rate limiting, connection throttling) and .
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach THE2202022103125
Ransomware Strain: Akira
Data Exfiltration: Claimed: 23GB of data exfiltrated
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Vulnerability Exploit THE659030725
Lessons Learned: The need for robust defense strategies and software composition analysis tools in handling authentication in distributed systems.
Incident : Denial-of-Service THE951060625
Lessons Learned: Immediate prioritization of upgrades to patched releases, implementation of rate limiting and monitoring for unusual patterns in priority header usage, and considering temporary disabling of HTTP/2 support on critical instances.
Incident : Remote Code Execution (RCE) THE302062025
Lessons Learned: Implement comprehensive security improvements, including enhanced authentication mechanisms and input validation procedures.
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Lessons Learned: Disable opportunistic TLS and prioritize implicit TLS implementations to maintain secure communications integrity.
Incident : Denial of Service (DoS) THE754071625
Lessons Learned: Ensuring timely updates and monitoring of HTTP/2 stream limits can prevent such vulnerabilities.
Incident : Vulnerability THE738081425
Lessons Learned: Importance of Timely Patching for Critical Vulnerabilities in Widely Used Software, Need for Robust Memory Management in HTTP/2 Implementations, Value of Network-Level Mitigations (e.g., Rate Limiting) During Patch Deployment
What recommendations were made to prevent future incidents ?
Incident : Vulnerability Exploit THE659030725
Recommendations: Immediate system upgrades, Auditing for suspicious access patternsImmediate system upgrades, Auditing for suspicious access patterns
Incident : Vulnerability THE718040425
Recommendations: Upgrade and implement security measures
Incident : Vulnerability Exploitation THE300050525
Recommendations: Upgrade to Parquet Java 1.15.2, Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty stringUpgrade to Parquet Java 1.15.2, Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string
Incident : Denial-of-Service THE951060625
Recommendations: Upgrade to patched releases, implement rate limiting for HTTP/2 connections, monitor for unusual patterns in priority header usage, set up memory monitoring alerts, and consider temporarily disabling HTTP/2 support on critical instances.
Incident : Vulnerability Exploitation THE903061725
Recommendations: Organizations must prioritize immediate updates to address these vulnerabilities. System administrators should verify their Tomcat installations and implement configuration changes to the server.xml file, specifically adjusting Connector parameters to prevent resource exhaustion attacks while maintaining application functionality.
Incident : Remote Code Execution (RCE) THE302062025
Recommendations: Upgrade to the latest release, enable RESTful API-v2, implement HTTPS two-way authentication.
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Recommendations: Disable opportunistic TLS, Use implicit TLS onlyDisable opportunistic TLS, Use implicit TLS only
Incident : Denial of Service (DoS) THE754071625
Recommendations: Upgrade to the latest patched versions, Enforce SETTINGS-ack timeout or hard stream ceiling at the reverse-proxy layerUpgrade to the latest patched versions, Enforce SETTINGS-ack timeout or hard stream ceiling at the reverse-proxy layer
Incident : Vulnerability THE207081225
Recommendations: Upgrade to Apache bRPC version 1.14.1, Apply the available security patch, Adjust redis_max_allocation_size gflag parameter if processing Redis requests or responses exceeding 64MBUpgrade to Apache bRPC version 1.14.1, Apply the available security patch, Adjust redis_max_allocation_size gflag parameter if processing Redis requests or responses exceeding 64MBUpgrade to Apache bRPC version 1.14.1, Apply the available security patch, Adjust redis_max_allocation_size gflag parameter if processing Redis requests or responses exceeding 64MB
Incident : Vulnerability THE738081425
Recommendations: Upgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Disable HTTP/2 Protocol if Not Required for Operations, Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Conduct Regular Vulnerability Assessments for Web Server InfrastructureUpgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Disable HTTP/2 Protocol if Not Required for Operations, Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Conduct Regular Vulnerability Assessments for Web Server InfrastructureUpgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Disable HTTP/2 Protocol if Not Required for Operations, Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Conduct Regular Vulnerability Assessments for Web Server InfrastructureUpgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Disable HTTP/2 Protocol if Not Required for Operations, Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Conduct Regular Vulnerability Assessments for Web Server InfrastructureUpgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Disable HTTP/2 Protocol if Not Required for Operations, Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Conduct Regular Vulnerability Assessments for Web Server Infrastructure
Incident : Data Breach THE2202022103125
Recommendations: Download Apache OpenOffice only from the official website to avoid third-party risks., Monitor for official updates from the Apache Software Foundation regarding the breach claim., Review internal security measures for open-source projects to prevent unauthorized access.Download Apache OpenOffice only from the official website to avoid third-party risks., Monitor for official updates from the Apache Software Foundation regarding the breach claim., Review internal security measures for open-source projects to prevent unauthorized access.Download Apache OpenOffice only from the official website to avoid third-party risks., Monitor for official updates from the Apache Software Foundation regarding the breach claim., Review internal security measures for open-source projects to prevent unauthorized access.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are The need for robust defense strategies and software composition analysis tools in handling authentication in distributed systems.Immediate prioritization of upgrades to patched releases, implementation of rate limiting and monitoring for unusual patterns in priority header usage, and considering temporary disabling of HTTP/2 support on critical instances.Implement comprehensive security improvements, including enhanced authentication mechanisms and input validation procedures.Disable opportunistic TLS and prioritize implicit TLS implementations to maintain secure communications integrity.Ensuring timely updates and monitoring of HTTP/2 stream limits can prevent such vulnerabilities.Importance of Timely Patching for Critical Vulnerabilities in Widely Used Software,Need for Robust Memory Management in HTTP/2 Implementations,Value of Network-Level Mitigations (e.g., Rate Limiting) During Patch Deployment.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Organizations must prioritize immediate updates to address these vulnerabilities. System administrators should verify their Tomcat installations and implement configuration changes to the server.xml file, specifically adjusting Connector parameters to prevent resource exhaustion attacks while maintaining application functionality., Upgrade and implement security measures, Upgrade to patched releases, implement rate limiting for HTTP/2 connections, monitor for unusual patterns in priority header usage, set up memory monitoring alerts, and consider temporarily disabling HTTP/2 support on critical instances., Upgrade to the latest release, enable RESTful API-v2 and implement HTTPS two-way authentication..
References
Where can I find more information about each incident ?
Incident : Denial-of-Service THE951060625
Source: Security researcher Abdualhadi Khalifa
Date Accessed: 2025-06-05
Incident : Denial of Service (DoS) THE754071625
Source: National Vulnerability Database
Incident : Denial of Service (DoS) THE754071625
Source: GitHub analysts
Incident : Vulnerability THE207081225
Source: Apache bRPC project documentation
Incident : Vulnerability THE738081425
Source: Security Researchers (Tel Aviv University) - Gal Bar Nahum, Anat Bremler-Barr, Yaniv Harel
Incident : Vulnerability THE738081425
Source: Apache Software Foundation Advisory
Incident : Data Breach THE2202022103125
Source: Hackread.com
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Security researcher Abdualhadi KhalifaDate Accessed: 2025-06-05, and Source: National Vulnerability Database, and Source: GitHub analysts, and Source: Apache bRPC project documentation, and Source: Security Researchers (Tel Aviv University) - Gal Bar Nahum, Anat Bremler-Barr, Yaniv Harel, and Source: Apache Software Foundation Advisory, and Source: Hackread.com.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Vulnerability THE738081425
Investigation Status: Disclosed; Patches Released
Incident : Data Breach THE2202022103125
Investigation Status: Unverified; Apache Software Foundation has not confirmed the breach.
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Disclosure By Security Researchers (Tel Aviv University), Advisories From Apache Software Foundation and Apache Software Foundation has not issued a public statement; media (Hackread.com) has reached out for comment..
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Vulnerability THE738081425
Stakeholder Advisories: Apache Software Foundation, Security Research Community, System Administrators Of Affected Tomcat Instances.
Customer Advisories: Organizations Using Apache Tomcat Urged to Apply PatchesPublic-Facing Web Applications Prioritized for Updates
Incident : Data Breach THE2202022103125
Customer Advisories: Users advised to download software only from official sources; no direct impact on end-users reported.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Apache Software Foundation, Security Research Community, System Administrators Of Affected Tomcat Instances, Organizations Using Apache Tomcat Urged To Apply Patches, Public-Facing Web Applications Prioritized For Updates, and Users advised to download software only from official sources; no direct impact on end-users reported..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Remote Code Execution (RCE) THE318031825
Entry Point: Simple PUT API request
Incident : Denial-of-Service THE951060625
Entry Point: HTTP/2 priority headers
Incident : Remote Code Execution (RCE) THE302062025
Entry Point: /hazelcast/rest/maps/submit-job endpoint
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Entry Point: Man-in-the-Middle
Incident : Denial of Service (DoS) THE754071625
Entry Point: TCP port 443
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Remote Code Execution (RCE) THE318031825
Root Causes: Critical RCE flaw in Apache Tomcat
Incident : Vulnerability THE718040425
Root Causes: Improper handling of HTTP chunked transfer encoding
Corrective Actions: Upgrade and implement security measures
Incident : Vulnerability Exploitation THE300050525
Root Causes: Deserialization vulnerability in Apache Parquet Java’s parquet-avro module
Corrective Actions: Upgrade To Parquet Java 1.15.2, Set Org.Apache.Parquet.Avro.Serializable Packages To An Empty String,
Incident : Denial-of-Service THE951060625
Root Causes: Fundamental flaw in how Apache Tomcat processes HTTP/2 priority headers
Corrective Actions: Upgrade to patched releases, implement rate limiting and monitoring for unusual patterns in priority header usage, set up memory monitoring alerts, consider temporarily disabling HTTP/2 support on critical instances.
Incident : Remote Code Execution (RCE) THE302062025
Root Causes: Insufficient access controls in the RESTful API-v1 implementation
Corrective Actions: Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication
Incident : Cross-protocol Application Layer Desynchronization THE409071125
Root Causes: Differences between implicit and opportunistic TLS implementations
Corrective Actions: Disable Opportunistic Tls, Use Implicit Tls Only,
Incident : Denial of Service (DoS) THE754071625
Root Causes: Race condition introduced during the refactor that added dynamic stream limits
Corrective Actions: Upgrade To Patched Versions, Enforce Settings-Ack Timeout Or Hard Stream Ceiling,
Incident : Vulnerability THE207081225
Root Causes: Unlimited memory allocation in the Redis protocol parser component
Corrective Actions: Implemented proper bounds checking for memory allocation requests with a default maximum allocation limit of 64MB per Redis parser operation
Incident : Vulnerability THE738081425
Root Causes: Flaw In Http/2 Stream Reset And Connection Management In Apache Tomcat, Inadequate Memory Release Mechanisms For Half-Open Connections, Lack Of Input Validation For Malicious Http/2 Frames,
Corrective Actions: Patched Http/2 Implementation In Tomcat Versions 11.0.10, 10.1.44, And 9.0.108, Enhanced Memory Management For Connection States, Improved Handling Of Stream Reset Frames,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, Monitoring For Http/2-Based Attacks, Tracking Memory Usage Anomalies, .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Upgrade and implement security measures, Upgrade To Parquet Java 1.15.2, Set Org.Apache.Parquet.Avro.Serializable Packages To An Empty String, , Upgrade to patched releases, implement rate limiting and monitoring for unusual patterns in priority header usage, set up memory monitoring alerts, consider temporarily disabling HTTP/2 support on critical instances., Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication, Disable Opportunistic Tls, Use Implicit Tls Only, , Upgrade To Patched Versions, Enforce Settings-Ack Timeout Or Hard Stream Ceiling, , Implemented proper bounds checking for memory allocation requests with a default maximum allocation limit of 64MB per Redis parser operation, Patched Http/2 Implementation In Tomcat Versions 11.0.10, 10.1.44, And 9.0.108, Enhanced Memory Management For Connection States, Improved Handling Of Stream Reset Frames, .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident were an Security researcher Abdualhadi Khalifa and Akira Ransomware Group.
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2025-06-05.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-08-13.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were Sensitive data, Employee records (addresses, phones, DOB, driver’s licenses, social security cards, credit card information), Financial records, Internal confidential files, Application problem reports and .
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Real-time analytics dashboardsFinancial monitoringIoT data processing and and and HadoopSparkFlink and and and HTTPFTPSMTPPOP3LMTPNNTP and and Apache Tomcat Servers (Versions 9.0.0-M1 to 11.0.9)Web Applications Relying on Affected Tomcat Instances.
Response to the Incidents
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Upgrade to Parquet Java 1.15.2Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string, Upgrade to patched releases, rate limiting for HTTP/2 connections, monitoring for unusual patterns in priority header usage, memory monitoring alerts, disabling HTTP/2 support temporarily, Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication, Disable HTTP/2Limit maxConcurrentStreams at the reverse-proxy layer, Monitoring for Unusual Memory Consumption PatternsNetwork-Level Protections (Rate Limiting and Connection Throttling).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Employee records (addresses, phones, DOB, driver’s licenses, social security cards, credit card information), Internal confidential files, Sensitive data, Application problem reports and Financial records.
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Value of Network-Level Mitigations (e.g., Rate Limiting) During Patch Deployment.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct Regular Vulnerability Assessments for Web Server Infrastructure, Enforce SETTINGS-ack timeout or hard stream ceiling at the reverse-proxy layer, Upgrade to Apache bRPC version 1.14.1, Upgrade to Parquet Java 1.15.2, Monitor Server Memory Usage for Anomalies Indicative of Exploitation, Upgrade to patched releases, implement rate limiting for HTTP/2 connections, monitor for unusual patterns in priority header usage, set up memory monitoring alerts, and consider temporarily disabling HTTP/2 support on critical instances., Disable HTTP/2 Protocol if Not Required for Operations, Review internal security measures for open-source projects to prevent unauthorized access., Upgrade to the latest patched versions, Disable opportunistic TLS, Use implicit TLS only, Upgrade and implement security measures, Adjust redis_max_allocation_size gflag parameter if processing Redis requests or responses exceeding 64MB, Apply the available security patch, Download Apache OpenOffice only from the official website to avoid third-party risks., Monitor for official updates from the Apache Software Foundation regarding the breach claim., Implement Rate Limiting and Connection Throttling for HTTP/2 Traffic, Immediate system upgrades, Organizations must prioritize immediate updates to address these vulnerabilities. System administrators should verify their Tomcat installations and implement configuration changes to the server.xml file, specifically adjusting Connector parameters to prevent resource exhaustion attacks while maintaining application functionality., Auditing for suspicious access patterns, Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string, Upgrade to Patched Apache Tomcat Versions (11.0.10, 10.1.44, or 9.0.108+) Immediately, Upgrade to the latest release, enable RESTful API-v2 and implement HTTPS two-way authentication..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Apache bRPC project documentation, National Vulnerability Database, Security researcher Abdualhadi Khalifa, GitHub analysts, Security Researchers (Tel Aviv University) - Gal Bar Nahum, Anat Bremler-Barr, Yaniv Harel, Apache Software Foundation Advisory and Hackread.com.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Disclosed; Patches Released.
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Apache Software Foundation, Security Research Community, System Administrators of Affected Tomcat Instances, .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Organizations Using Apache Tomcat Urged to Apply PatchesPublic-Facing Web Applications Prioritized for Updates and Users advised to download software only from official sources; no direct impact on end-users reported.
Initial Access Broker
What was the most recent entry point used by an initial access broker ?
Most Recent Entry Point: The most recent entry point used by an initial access broker were an HTTP/2 priority headers, Man-in-the-Middle, /hazelcast/rest/maps/submit-job endpoint, Simple PUT API request and TCP port 443.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Critical RCE flaw in Apache Tomcat, Improper handling of HTTP chunked transfer encoding, Deserialization vulnerability in Apache Parquet Java’s parquet-avro module, Fundamental flaw in how Apache Tomcat processes HTTP/2 priority headers, Insufficient access controls in the RESTful API-v1 implementation, Differences between implicit and opportunistic TLS implementations, Race condition introduced during the refactor that added dynamic stream limits, Unlimited memory allocation in the Redis protocol parser component, Flaw in HTTP/2 Stream Reset and Connection Management in Apache TomcatInadequate Memory Release Mechanisms for Half-Open ConnectionsLack of Input Validation for Malicious HTTP/2 Frames.
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Upgrade and implement security measures, Upgrade to Parquet Java 1.15.2Set org.apache.parquet.avro.SERIALIZABLE_PACKAGES to an empty string, Upgrade to patched releases, implement rate limiting and monitoring for unusual patterns in priority header usage, set up memory monitoring alerts, consider temporarily disabling HTTP/2 support on critical instances., Upgrade to version 2.3.11, enable RESTful API-v2, implement HTTPS two-way authentication, Disable opportunistic TLSUse implicit TLS only, Upgrade to patched versionsEnforce SETTINGS-ack timeout or hard stream ceiling, Implemented proper bounds checking for memory allocation requests with a default maximum allocation limit of 64MB per Redis parser operation, Patched HTTP/2 Implementation in Tomcat Versions 11.0.10, 10.1.44, and 9.0.108Enhanced Memory Management for Connection StatesImproved Handling of Stream Reset Frames.
.png)
Latest Global CVEs (Not Company-Specific)
Description
ThingsBoard in versions prior to v4.2.1 allows an authenticated user to upload malicious SVG images via the "Image Gallery", leading to a Stored Cross-Site Scripting (XSS) vulnerability. The exploit can be triggered when any user accesses the public API endpoint of the malicious SVG images, or if the malicious images are embedded in an `iframe` element, during a widget creation, deployed to any page of the platform (e.g., dashboards), and accessed during normal operations. The vulnerability resides in the `ImageController`, which fails to restrict the execution of JavaScript code when an image is loaded by the user's browser. This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.
Risk Information
cvss4
Base: 6.2
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).
Risk Information
cvss3
Base: 9.9
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References
Description
Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
Description
Exposure of email service credentials to users without administrative rights in Devolutions Server.This issue affects Devolutions Server: before 2025.2.21, before 2025.3.9.
Description
Exposure of credentials in unintended requests in Devolutions Server.This issue affects Server: through 2025.2.20, through 2025.3.8.
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=the-apache-software-foundation' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
