GeoServer Flaw Exploited in US Federal Agency Hack

The US cybersecurity agency CISA has shared details on the exploitation of a year-old GeoServer vulnerability to compromise a federal civilian executive branch (FCEB) agency.

The exploited bug, tracked as CVE-2024-36401 (CVSS score of 9.8) and leading to remote code execution (RCE), was disclosed on June 30, 2024, two weeks before CISA added it to the KEV catalog.

On July 11, 2024, four days before CISA’s alert, a threat actor exploited the bug to gain access to a GeoServer instance pertaining to the victim agency, then moved laterally to a web server and to an SQL server.

“On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LOTL) techniques,” CISA explains in a fresh report.

On July 24, ten days after the bug ...