Vulnerability
Campaign
Incident
GeoServer exploitation, federal breach, and monetization activity
Updated 12.12.2025 07:01
Case score 68
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 68
- Main story score
- 61
- Related evidence lift
- +7 / 20
- Contributing updates
- 3
- Context updates
- 0
Top contributors
- Vulnerability Anchors the case in active exploitation of **CVE-2024-36401** in **GeoServer** and the resulting federal breach story. main
- Campaign Shows separate **CVE-2024-36401** abuse against internet-exposed GeoServer instances for low-noise monetization. contributes
- Incident Provides confirmed fallout from **CVE-2024-36401** exploitation, including lateral movement and web shell use. contributes
- Vulnerability Adds later **GeoServer** exploitation pressure through **CVE-2025-58360** and its KEV listing. contributes
Case score 68
Members 4
Latest activity 12.12.2025 07:01
Active exploitation
Public PoC/exploit reported
KEV: CISA KEV
Patch available
Members 4
First seen 23.08.2025 10:38
Last seen 12.12.2025 07:01
Updated 12.12.2025 07:01
Overview
**CVE-2024-36401** in **GeoServer** moved from patch release to active exploitation, with CISA later tying an unpatched GeoServer instance to a federal breach and a separate campaign using the same flaw to monetize exposed servers. The federal intrusion stayed active for about three weeks before EDR alerted, and the attackers expanded from GeoServer into additional internal systems.
A later **GeoServer CVE-2025-58360** KEV listing shows the product remains under sustained remediation pressure. Available evidence does not show that the newer XXE flaw was used in the federal breach, and exposure across GeoServer deployments is not quantified.
Attackers exploited **CVE-2024-36401** in **GeoServer** to gain access to exposed servers, and the same flaw also powered a separate campaign that turned internet-facing deployments into monetized infrastructure. CISA later disclosed that an unnamed U.S. federal civilian executive branch agency was breached through an unpatched GeoServer instance, with the intrusion remaining active for about three weeks before EDR alerted on suspicious activity.
The attackers used Burp Suite to find exposed systems, moved from one GeoServer into another, and then expanded to a web server and an SQL server. During the intrusion they dropped web shells such as China Chopper, used brute force for passwords, attempted **CVE-2016-5195** for privilege escalation, and used Stowaway for command-and-control traffic.
In a separate GeoServer exploitation campaign observed since early March 2025, operators used **CVE-2024-36401** against internet-exposed instances and delivered customized executables from adversary-controlled servers, including a private transfer.sh instance. CISA also added **CVE-2025-58360** in GeoServer to the KEV catalog after evidence of active exploitation, with fixed releases available in **2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1**. Available evidence does not show that the later XXE flaw was used in the federal breach, and the scale of exposure across GeoServer deployments remains unquantified.
Signals
15 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.8 Critical
Exploit
Public PoC/exploit reported
Affected impact
Affected service
CVEs/products
CVE
CVE
CVE
Victims/regions
Victim region
United States
Victim region
China
Remediation
KEV
CISA KEV
Remediation
Patch available
Status
Campaign status
Active
Incident status
Disclosed
Threat context
Tooling
Data exposure
Leak status
Exposed/Unsecured
Malware context
3 families · 2 toolsTools
China Chopper
Stowaway
Member happenings
4 related
Vulnerability
GeoServer critical RCE vulnerability (CVE-2024-36401)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical
Data Status
Exposed/Unsecured
+1
Vulnerability
GeoServer critical RCE vulnerability (CVE-2024-36401)
Exploitation
Active Exploitation
Exploit
Public Exploit
CVSS
9.8 Critical
Data Status
Exposed/Unsecured
+1
Campaign
GeoServer CVE-2024-36401 bandwidth-sharing campaign
Campaign
Active
Campaign
GeoServer CVE-2024-36401 bandwidth-sharing campaign
Campaign
Active
Vulnerability
OSGeo GeoServer actively exploited XXE flaw (CVE-2025-58360)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Vulnerability
OSGeo GeoServer actively exploited XXE flaw (CVE-2025-58360)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Incident
U.S. federal civilian executive branch agency hit by network compromise
Extortion
None
Incident
Disclosed
Patch
Patch Available
Incident
U.S. federal civilian executive branch agency hit by network compromise
Extortion
None
Incident
Disclosed
Patch
Patch Available