GeoServer CVE-2024-36401 bandwidth-sharing campaign
Campaign
Summary
Hide ▲
Show ▼
An active GeoServer exploitation campaign is using CVE-2024-36401 to turn exposed servers into infrastructure for bandwidth sharing and other passive-income abuse. The activity has been seen against internet-facing GeoServer instances since early March 2025, increasing the risk that unpatched deployments are being quietly repurposed. The campaign matters because the payloads are delivered from adversary-controlled servers and are designed to stay low-profile while monetizing compromised systems.
Cases
Related Happenings
OSGeo GeoServer actively exploited XXE flaw (CVE-2025-58360)
Vulnerability
First: 12.12.2025 07:01
Last: 12.12.2025 07:01
Sources 1
About this happening:
**CISA** added **CVE-2025-58360** in **OSGeo GeoServer** to the **KEV catalog** after evidence of **active exploitation** in the wild. The flaw is an **unauthenticated XXE** issue...
OSGeo GeoServer actively exploited XXE flaw (CVE-2025-58360)
VulnerabilityAbout this happening: **CISA** added **CVE-2025-58360** in **OSGeo GeoServer** to the **KEV catalog** after evidence of **active exploitation** in the wild. The flaw is an **unauthenticated XXE** issue...
Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation Wave
First: 11.12.2025 15:19
Last: 11.12.2025 15:19
Sources 1
About this happening:
**Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...
Gogs Internet-facing exploitation wave (CVE-2025-8110)
Exploitation WaveAbout this happening: **Gogs** servers were caught in a broad **active exploitation wave** that left **more than 700 compromised instances** among **1,400+ exposed servers**. The abuse centered on **CV...
GeoServer critical RCE vulnerability (CVE-2024-36401)
Vulnerability
First: 23.09.2025 18:07
Last: 23.09.2025 18:07
Sources 1
About this happening:
**CVE-2024-36401** is a critical **GeoServer** remote code execution vulnerability that was patched on **June 18, 2024** and later **actively exploited** against exposed servers....
GeoServer critical RCE vulnerability (CVE-2024-36401)
VulnerabilityAbout this happening: **CVE-2024-36401** is a critical **GeoServer** remote code execution vulnerability that was patched on **June 18, 2024** and later **actively exploited** against exposed servers....
U.S. federal civilian executive branch agency hit by network compromise
Incident
First: 23.09.2025 18:07
Last: 23.09.2025 18:07
Sources 1
About this happening:
An **unnamed U.S. federal civilian executive branch agency** was breached after attackers exploited **CVE-2024-36401** in **GeoServer**, then used the foothold to move laterally t...
U.S. federal civilian executive branch agency hit by network compromise
IncidentAbout this happening: An **unnamed U.S. federal civilian executive branch agency** was breached after attackers exploited **CVE-2024-36401** in **GeoServer**, then used the foothold to move laterally t...
Timeline
-
23.08.2025 10:38 1 articles · 9mo ago
GeoServer CVE-2024-36401 bandwidth-sharing campaign
Initial DisclosureThe campaign began with **probing of internet-exposed GeoServer instances** and exploitation of **CVE-2024-36401**. From there, attackers started dropping **customized executables** from controlled infrastructure to monetize compromised systems.
Show sources
- GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets — thehackernews.com — 23.08.2025 10:38