Did you forget your Cat? Tom?

Cracking the Case of the Forgotten Tomcat

Pen tests often feel like treasure hunts - you never know which stone will hide the shiny prize. On an external network assessment, our hunt began with a handful of IPs twinkling back at us from the wide-open internet. Like any good detective, we followed the trail. Most systems were locked up tight, giving us the cold shoulder. But then, one machine stood out. Its doors were creaking, just waiting to be assessed.

The Forgotten Tomcat

A closer look revealed that the host was running Apache Tomcat. Tomcat is excellent at serving web applications and powering enterprise systems, but it has one major weakness: when it is misconfigured, it becomes an attacker’s playground.

One particularly sensitive feature of Tomcat is its management console. This interface allows administrators to deploy applications, manage services, and control the server — powerful capabilities that should never be casually exposed. Naturally, we checked whether the management interface was accessible. It was.

The next step was obvious.

Default Credentials: The Oldest Trick in the Book

We attempted to authenticate using default credentials — a common first step for attackers because it works far more often than it should.

To our delight, or horror, depending on which side of the table you sit… the gates swung wide open. The organisation had deployed Tomcat but never changed the default username and password.

At that moment, what should have been a secure application server became an open invitation.

From Access to Full Control

With access to the Tomcat management console, things escalated quickly.

Tomcat allows administrators to upload and deploy application packages. By abusing this feature, we were able to achieve remote command execution (RCE) on the server. In simple terms, this meant we could run arbitrary commands directly on the system. From an attacker’s perspective, this is game over for that host.

Remote command execution can lead to:

• Full system compromise
• Theft or destruction of data
• Lateral movement to other systems
• Malware deployment
• Use of the server as a launch point for further attacks

All because one system was forgotten and left exposed.

Why Forgotten Systems Are So Dangerous?

This scenario is more common than organisations realise. Evaluate environments, legacy servers, and “temporary” systems often:

• Remain exposed to the internet
• Use default or weak credentials
• Miss security updates
• Fall outside regular monitoring

Attackers actively scan the internet for exactly these kinds of targets.

Lessons Learned

💡 Default credentials are an open invitation
If you deploy Tomcat — or any software — always change default usernames and passwords immediately. Attackers will try them first.

💡 Limit exposure
Administrative consoles should never be publicly accessible. If access is required, protect it with firewalls, VPNs, IP allow lists, and strong authentication. Always follow the Principle of Least Privilege.

💡 Regular reviews save headaches
Forgotten systems become weak points. Regular asset inventories, vulnerability scans, and configuration reviews can prevent silent risks from turning into active breaches.

Secure Your Digital Doors Before Attackers Walk In

At Liverton Security, we help organisations uncover and fix weaknesses like exposed management consoles, default credentials, and forgotten infrastructure before attackers exploit them. If this story made you uneasy, it might be time for a health check of your own network.

Reach out to Liverton Security— we would love to help you secure your digital doors before someone else finds them open.

About Liverton Security

Digital technology has greatly expanded opportunities for businesses, but has also introduced complex security threats that organisations cannot ignore. Protecting people, critical data, and entire organisations requires proactive and continuous security strategies.

As an influential and respected leader in global cybersecurity, Liverton Security specialises in helping businesses and government organisations neutralise evolving cyber threats in the digital age.