CISA Reveals Hackers Breached U.S. Federal Agency via GeoServer RCE Flaw

Federal cybersecurity agency CISA has disclosed that attackers exploited a remote code execution vulnerability in GeoServer to breach a U.S. federal civilian executive branch agency.

The incident response began after endpoint detection alerts sounded at the agency. Over three weeks, cyber intruders used the flaw to gain initial access, move laterally, and establish persistence across multiple servers.

CISA’s advisory underscores the critical need for timely patching, tested response plans, and constant alert review.

How the Breach Unfolded

On July 11, 2024, attackers exploited CVE-2024-36401, an “eval injection” weakness in GeoServer, to execute commands on a public-facing server.

Despite a disclosure 11 days earlier, the agency had not applied the patch. Intruders leveraged the flaw to download open-source tools, install web shells, and create cron jobs for persistence.

Eleven days later, the same vulnerability was exploited against a second GeoServer instance, further widening the scope of the breach.

After ...