This is a feature of Tomcat and it is working as expect, the issue here is the same kind of problem as leaving a default admin password in place. i.e. No competent deployment engineer would make this port 8009 active by mistake.
Unfortunately many IoT developers are great at writing software to make their hardware do things, but expecting them to also be experts in web site management, network management and security is stupid. My understanding is that Tomcat's memory footprint is small enough that it's popular on memory-limited devices, so it's probably deployed incorrectly on a gazillion field moisture monitors, sewer monitoring equipment, security cameras, alarm panels, etc.
Feature not a bug (Score:5, Informative)
This is a feature of Tomcat and it is working as expect, the issue here is the same kind of problem as leaving a default admin password in place. i.e. No competent deployment engineer would make this port 8009 active by mistake.
https://tomcat.apache.org/tomc... [apache.org]
Re:Feature not a bug (Score:2)
Unfortunately many IoT developers are great at writing software to make their hardware do things, but expecting them to also be experts in web site management, network management and security is stupid. My understanding is that Tomcat's memory footprint is small enough that it's popular on memory-limited devices, so it's probably deployed incorrectly on a gazillion field moisture monitors, sewer monitoring equipment, security cameras, alarm panels, etc.