1. Weekly web attack trends You can analyze weekly web attack trends to see when web attacks are concentrated at any given time. Based on this, you can use it to plan proactive prevention and response strategies for peak attack periods. The graph below visualizes the number of web attacks detected by AIWAF during the month of May 2025, on a weekly basis. Analyzing AIWAF detected data for the month of May 2025, we detected an average of approximately 380,000+ web attacks per day, which is a significant increase from the previous month and indicates that the threats to web servers continue to escalate. We also observed a higher frequency of attacks on weekends (Saturday and Sunday) than on weekdays, which could indicate a strategic approach to take advantage of lower web server utilization during non-business hours. Notably, May 21 saw the highest concentration of web attacks during the entire period, with SQL Injection accounting for the highest percentage of attack types detected on that day. SQL Injection is a common attack method that manipulates databases to take over system privileges or steal internal information. Attackers often use this technique to bypass a system’s user authentication process or to gain insight into the database structure, which makes it especially important for organizations to protect their sensitive information. In fact, AIWAF categorizes SQL Injection as a high-risk attack type with the most detection patterns. The results of this analysis show that major web attack types, including SQL Injection, require continued attention and sophisticated countermeasure strategies, and will provide an important basis for future detection and blocking policies. 2. Web attack trends by attack type By analyzing web attack trends by attack type based on detection logs, you can systematically identify which types of attacks are most frequent over the course of a month. This analysis is more than just a statistic; it is a key reference point for refining your organization’s security policy and response. Analyzing the detection logs collected by AIWAF during the month of May 2025, we detected a wide range of web attacks, some of which showed distinct patterns, such as being concentrated in certain time periods or accounting for a high proportion of the total number of attacks. In particular, classic and still threatening attack types such as SQL Injection and System File Access are at the top of the list, and they tend to be carried out repeatedly, often by automated attack tools or botnets. The graph below visualizes the distribution of web attack types detected by AIWAF as of May 2025. According to the statistics by type of web attack detected by AIWAF in the month of April 2025, SQL Injection was the most prevalent, accounting for 24.95% of all detections. This was followed by System File Access (18.55%), Default Page (15.43%), and Directory Traversal (12.16%). This calls for more precise responses and proactive measures against this particular type of attack. First of all, SQL Injection is a type of attack that is always high on the OWASP Top 10, and the attack techniques are highly evolving. This attack typically occurs when values passed via user input are embedded in SQL queries and executed verbatim, which can be exploited by an attacker to bypass improper authentication, view database structures, steal sensitive data, and more. Organizations are particularly vulnerable to these attacks if they use dynamic queries or lack validation of input values. System File Access (18.55%), the second highest percentage, refers to attempts by attackers to exploit vulnerabilities in web applications to gain unauthorized access to files and directories inside the system or to manipulate arbitrary files. These attacks can be caused by web server configuration issues, insufficient access controls, directory path validation failures, etc. and can lead to system privilege takeover or backdoor installation if successful. The third highest category, Default Page (15.43%), targets pages that retain their initial settings after installation or system message pages. They expose information during the information gathering phase that can be used in subsequent attacks to determine the type of software and configuration of the system. While this attack type is largely passive, it is often detected in high volume by automated scanners, making early detection and response critical. Directory traversal (12.16%), the fourth most common, can expose sensitive system files or the source code of an application. This vulnerability can be particularly devastating in applications that perform file operations based on user input. With the increasing integration of cloud-based SaaS systems or API-based services, inadequate file access control can also pose a significant threat to cloud infrastructure, which may influence the creation of stricter cloud security policies in the future. 3. Summary of web attack trend graphs for the last 3 months February March April 4. Top 30 Attacker IPs 5. Vulnerability analysis reports [Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813) A. Overview Apache Tomcat is an open source software under the Apache License Version 2 that provides a servlet container for running Java Server Pages (JSPs) and Java Servlets. This software is widely used as a servlet container in commercial web application servers, and we have analyzed RCE vulnerabilities in this software. Source : https://tomcat.apache.org/ B. Attack types CVE-2025-24813 stems from the way Tomcat handles partial PUT requests and allows an unauthenticated user to perform remote code execution (RCE), view security-sensitive files, and inject content into those files. The attacker sends a PUT request to the server that contains a Base64-encoded serialized Java payload. This payload is designed to trigger an RCE upon deserialization. Ex) Create Java-based payloads Ex) Generate exploit upload packets Ex) Apache Tomcat incorrectly treats this file as a legitimate session object due to directory traversal After sending the above request, the attacker sends a GET request with a specially crafted “JSESSIONID” cookie that references the malicious session, causing the server to deserialize the payload and execute arbitrary code. Ex) C. What to do CVE-2025-24813 is addressed by security patches in Tomcat 9.0.99 and later, 10.1.35 and later, 11.0.3 and later, and we recommend using these versions or later. For this vulnerability, our WAF will be further analyzed and updated to address attacks via encoded bypass paths such as /..;/, %2e%2e%3b/, ;%2e%2e/, etc. D. Conclusion Apache Tomcat, a popular Java-based web application server used worldwide, was recently discovered to contain an RCE vulnerability, identified as CVE-2025-24813. The vulnerability is due to a path validation error in the DefaultServlet, which could allow an attacker to access restricted resources or execute arbitrary code without authentication. By sending an HTTP request with a specially crafted path, an attacker can bypass authentication and execute actions that normally can only be performed by authenticated users. This could lead to remote code execution (RCE) attempts, especially to take full control of the system or execute malicious files, making it urgent for organizations and institutions using Apache Tomcat to apply the latest security patches. Our AIWAF products are continuously monitoring and detecting vulnerabilities in real-time in widely used open source-based web servers such as Apache Tomcat, and responding to these vulnerabilities with proactive defenses based on analysis of detection signatures and evasion patterns. We will continue to analyze and update our vulnerabilities for similar path bypass and authentication bypass vulnerabilities in the future. E. References https://www.cyfirma.com/research/cve-2025-24813-apache-tomcat-rce-vulnerability-analysis/ https://www.rapid7.com/blog/post/2025/03/19/etr-apache-tomcat-cve-2025-24813-what-you-need-to-know/ https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis https://nvd.nist.gov/vuln/detail/CVE-2025-24813 Read more about [2025.05] Web Attack Trend Report[…]
