Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign Incident

GeoServer exploitation, federal breach, and monetization activity

Updated 12.12.2025 07:01
Case score 68
Case score 68 Members 4 Latest activity 12.12.2025 07:01
Active exploitation Public PoC/exploit reported KEV: CISA KEV Patch available
Members 4 First seen 23.08.2025 10:38 Last seen 12.12.2025 07:01 Updated 12.12.2025 07:01

Overview

**CVE-2024-36401** in **GeoServer** moved from patch release to active exploitation, with CISA later tying an unpatched GeoServer instance to a federal breach and a separate campaign using the same flaw to monetize exposed servers. The federal intrusion stayed active for about three weeks before EDR alerted, and the attackers expanded from GeoServer into additional internal systems. A later **GeoServer CVE-2025-58360** KEV listing shows the product remains under sustained remediation pressure. Available evidence does not show that the newer XXE flaw was used in the federal breach, and exposure across GeoServer deployments is not quantified.

Signals

15 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical Exploit Public PoC/exploit reported
Affected impact
Affected service
CVEs/products
CVE CVE CVE
Victims/regions
Victim region United States Victim region China
Remediation
KEV CISA KEV Remediation Patch available
Status
Campaign status Active Incident status Disclosed
Threat context
Tooling
Data exposure
Leak status Exposed/Unsecured

Malware context

3 families · 2 tools
Tools
China Chopper Stowaway

Member happenings

4 related
Vulnerability GeoServer critical RCE vulnerability (CVE-2024-36401)
Updated 23.09.2025 18:07 Lead Contribution 61
Exploitation Active Exploitation Exploit Public Exploit CVSS 9.8 Critical Data Status Exposed/Unsecured +1

**CVE-2024-36401** is a critical **GeoServer** remote code execution vulnerability that was patched on **June 18, 2024** and later **actively exploited** against exposed servers. In a later **CISA** disclosure, attackers breached a **large unnamed FCEB agency** by abusing the flaw in **GeoServer**, then used **Burp Suite** for scanning, accessed a second GeoServer, **moved laterally to two other servers**, and dropped web shells including **China Chopper**. The agency’s delayed remediation, weak incident response, and limited logging left the activity undetected for **three weeks** and complicated containment.

Campaign GeoServer CVE-2024-36401 bandwidth-sharing campaign
Updated 23.08.2025 10:38 Scoring Support Contribution 2
Campaign Active

An active **GeoServer** exploitation campaign is using **CVE-2024-36401** to turn exposed servers into infrastructure for **bandwidth sharing** and other passive-income abuse. The activity has been seen against **internet-facing GeoServer instances** since **early March 2025**, increasing the risk that unpatched deployments are being quietly repurposed. The campaign matters because the payloads are delivered from **adversary-controlled servers** and are designed to stay low-profile while monetizing compromised systems.

Vulnerability OSGeo GeoServer actively exploited XXE flaw (CVE-2025-58360)
Updated 12.12.2025 07:01 Scoring Support Contribution 2
Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**CISA** added **CVE-2025-58360** in **OSGeo GeoServer** to the **KEV catalog** after evidence of **active exploitation** in the wild. The flaw is an **unauthenticated XXE** issue affecting **all versions through 2.25.5** and **2.26.0 through 2.26.1**, with fixes now available in later releases. Successful abuse could enable **arbitrary file access**, **SSRF**, or **DoS** against exposed GeoServer instances.

Incident U.S. federal civilian executive branch agency hit by network compromise
Updated 23.09.2025 18:07 Scoring Support Contribution 2
Extortion None Incident Disclosed Patch Patch Available

An **unnamed U.S. federal civilian executive branch agency** was breached after attackers exploited **CVE-2024-36401** in **GeoServer**, then used the foothold to move laterally to a **web server** and **SQL server**. **CISA** said the activity remained undetected for **three weeks** and that the agency's weak incident response, logging, and patching slowed containment. The attackers used **Burp Suite** for scanning, **China Chopper** web shells, **brute force** password attacks, and **Stowaway** for C2 traffic.