US federal agency breached by hackers using GeoServer exploit, CISA says

• Attackers exploited a critical GeoServer flaw to breach a US federal agency in July 2024
• China Chopper web shell enabled remote access and lateral movement across compromised systems
• CISA urges timely patching, tested response plans, and continuous alert monitoring

In mid-July 2024, a threat actor managed to break into a US Federal Civilian Executive Branch (FCEB) agency by exploiting a critical remote code execution (RCE) vulnerability in GeoServer, the government has confirmed.

In an in-depth report detailing the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) outlined how the attackers leveraged CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through specially crafted input against a default GeoServer installation.

GeoServer is an open source server platform that enables users to share, edit, and publish geospatial data using open standards.