24.09.2025
2 min
570
The US Cybersecurity and Infrastructure Security Agency (CISA) has reported an attack on a federal civilian agency in which attackers exploited the CVE-2024-36401 vulnerability in GeoServer, gaining full network access and remaining undetected for three weeks.
The incident began on July 11, 2024, when hackers used an eval injection in a publicly available GeoServer. Despite the vulnerability being published on June 30 and listed in the KEV catalog on July 15, the organization failed to patch the system in time.
The attackers conducted reconnaissance using Burp Suite and other tools, then installed the China Chopper web shell, the Stowaway proxy, and used the “living off the land” technique with PowerShell and bitsadmin. They moved from GeoServer to the web server, and later to the SQL server, where they ran commands to collect data and manage the system.
It was only on July 31 that the EDR system recorded a suspicious file, although there was already a signal about Stowaway on July 15, which went unnoticed. In addition, there was no protection at all on the web server, which greatly simplified the attack.
The vulnerability CVE-2024-36401 (CVSS 9.8) affects all versions of Apache GeoServer 2.x to 2.26.5. It allows code execution without authentication.
CISA highlighted three main lessons:
lack of prompt patching even after entering the KEV;
ineffective incident response without involving external experts;
insufficient EDR monitoring and lack of protection on key nodes.
The attack showed that even federal agencies can have critical cybersecurity gaps.
This incident demonstrates the dangers of delayed patching and poor incident response. Even critical KEV alerts go unaddressed if processes are not in place. CISA emphasizes that organizations should promptly patch known vulnerabilities, deploy protection on all nodes, and review EDR alerts to prevent similar attacks from happening again.
