Hi, it’s your pal from the internet, todb! Since I’ve gotten settled in here at runZero, I wanted to take a minute on this fine Friday before VulnCon 2025 to muse on a couple recent vulnerabilities involving next.js (CVE-2025-29927) and Apache Tomcat (CVE-2025-24813) that hit our radar here, then seem to have kind of fizzled out. What does that mean for vulnerability management?
As linked above, you’ll notice that we put out a couple of Rapid Responses for customers and onlookers who are likely interested in finding instances of these products in their own environments. On March 22 and March 19, respectively, we were worried enough about these vulnerabilities, and more importantly, presumed our customers would be worried enough that they would want to quickly seek and remediate these two vulns. After all, there was a lot of initial doom and gloom reporting, and the extant cybersecurity press is only too happy to jump on pretty much any and every vulnerability that gets this kind of attention from the vulnerability intelligence crowd.
This is a pretty normal fire drill that happens maybe once or twice a week. See smoke, yell fire, look for new clouds of smoke, and repeat a few days later. At runZero, we pretty quickly concluded that these two issues were both widespread enough to warrant at least some attention.
And of course, both vulns rate as critical in CVSS scoring (9.1 for next.js and 9.8 for Tomcat) and EPSS scoring (84.7% and 93.4%, respectively, as of today). And there were proof-of-concept (PoC) exploits for both published pretty much immediately.
In the days that followed disclosure, pretty much everyone that watches for exploitation activity did see a rather obvious spike in activity around these two bugs. There were plenty of reports of scanning activity, up to and including flinging PoCs at anything that might have been vulnerable, regardless if the PoC would actually work or not. This tells me we made the right call on alerting customers and the world to the seriousness of these bugs.
That all said…
Every sign we had – CVSS, EPSS, gut-feel, and follow-on scanning activity – pointed to imminent, obvious, and disastrous exploitation. Yet here we are, still interneting along, and there doesn’t seem to be any observable damage or loss attributable to these bugs. As of today, Next.js hasn’t yet even hit the CISA KEV (though Tomcat has), and whatever evidence CISA has on the Tomcat bug isn’t obvious outside of those particular victims’ networks. No SEC filings, no rumor-mill grist blaming these bugs for the latest breaches, nothing beyond the noisy (and in most cases, clumsy) scanning action.
What was the failure here? Was there one? Is it that we just can’t account for the level of human effort and intent needed for actual exploitation? After all, exploitation prediction isn’t weather prediction; weather is entirely dumb and systemic, while exploitation requires conscious action and some amount of non-trivial work to effect.
Capable exploitation also takes time. Maybe two weeks isn’t enough, but I keep thinking of all the cybersecurity industry reports that talk about average exploitation from discovery to publication taking mere days, especially given the presence of proof-of-concept exploits.
Of course, I’m not sad that there isn’t an active, log4shell-level of internet emergency based on these vulns. We have plenty of other emergencies to deal with these days, here in 2025 on planet Earth. But after being in the business for a while, and actually thinking through the usual signals we use to sound the alarm, I’m feeling like we are yelling “fire” an awful lot more often than we actually see fire, and I’m worried that we spin up our efforts – and the efforts of our customers and constituents – often enough that we risk crying wolf.
Or, we’re doing what we can in the face of imperfect information. We’re playing probabilities, after all, and those probabilities are inexorably tied to unmeasurable variables like the motives, means, and opportunities of the world’s criminals and spies.
I don’t know. This isn’t a post that is selling answers; I am mostly interested in getting this wondering out there, in the world. And since it’s nearly VulnCon time, I imagine I’ll be having versions of this conversation a lot over the next week or so.
At any rate, if you’re the sort of person that follows the daily vulnerability intelligence comings and goings, you might have opinions on this. I’ll post a link to this blog on LinkedIn and Mastodon, so give me your hot takes and tell me how naive I’m being there. Or, if you choose to physically manifest in Raleigh next week, hit me up there. Maybe we’ll solve this riddle once and for all!
In the meantime, we’re doing what we can to highlight the actual risk to customers’ networks based on not just CVEs (which I think we’re all over-indexed on, just in general). Misconfigurations, accidentally exposed services, and walking dead EOL software all seem at least as pressing for IT shops as unpatched, recently disclosed vulnerabilities.
