CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

GeoServer Vulnerability Exploited for Stealthy Monetary Gain

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical remote code execution vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401) has been actively exploited since late 2024 to deploy legitimate software development kits (SDKs) or modified apps for passive income generation. Attackers have been probing GeoServer instances exposed to the internet since early 2025, leveraging the access to drop customized executables from adversary-controlled servers. The executables, written in Dart, interact with legitimate passive income services, using device resources for activities like bandwidth sharing. This stealthy approach allows attackers to monetize victims' internet bandwidth without distributing custom malware. Over 7,100 publicly exposed GeoServer instances across 99 countries have been identified, with the top five countries being China, the United States, Germany, Great Britain, and Singapore.

Timeline

  1. 23.08.2025 10:38 1 articles · 1mo ago

    GeoServer Vulnerability Exploited for Stealthy Monetary Gain

    A critical remote code execution vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401) has been actively exploited since late 2024 to deploy legitimate software development kits (SDKs) or modified apps for passive income generation. Attackers have been probing GeoServer instances exposed to the internet since early 2025, leveraging the access to drop customized executables from adversary-controlled servers. The executables, written in Dart, interact with legitimate passive income services, using device resources for activities like bandwidth sharing. This stealthy approach allows attackers to monetize victims' internet bandwidth without distributing custom malware. Over 7,100 publicly exposed GeoServer instances across 99 countries have been identified, with the top five countries being China, the United States, Germany, Great Britain, and Singapore.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Open in new tab