GeoServer critical RCE vulnerability (CVE-2024-36401)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2024-36401 is a critical GeoServer remote code execution vulnerability that was patched on June 18, 2024 and later actively exploited against exposed servers. In a later CISA disclosure, attackers breached a large unnamed FCEB agency by abusing the flaw in GeoServer, then used Burp Suite for scanning, accessed a second GeoServer, moved laterally to two other servers, and dropped web shells including China Chopper. The agency’s delayed remediation, weak incident response, and limited logging left the activity undetected for three weeks and complicated containment.
Cases
Related Happenings
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/Mitigation
First: 21.04.2026 14:17
Last: 21.04.2026 14:17
Sources 1
About this happening:
**CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
CISA Apache ActiveMQ CVE-2026-34197 mitigation order
Advisory/MitigationAbout this happening: **CISA** ordered **FCEB agencies** to secure **Apache ActiveMQ** servers by **April 30** after **CVE-2026-34197** was confirmed **actively exploited**. The flaw can allow **arbitr...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation Wave
First: 26.03.2026 18:00
Last: 26.03.2026 18:00
Sources 1
About this happening:
**Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Oracle WebLogic Server CVE-2026-21962 rapid exploitation wave
Exploitation WaveAbout this happening: **Oracle WebLogic Server** systems faced a rapid **CVE-2026-21962** exploitation wave after public exploit code appeared, creating immediate **RCE risk** for exposed servers. The...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/Mitigation
First: 25.03.2026 17:52
Last: 25.03.2026 17:52
Sources 1
About this happening:
**Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
Cloud Software Group NetScaler urgent remediation advisory
Advisory/MitigationAbout this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/Mitigation
First: 19.03.2026 08:05
Last: 19.03.2026 08:05
Sources 1
About this happening:
**CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
CISA patch guidance for Zimbra and SharePoint flaws
Advisory/MitigationAbout this happening: **CISA** told **FCEB agencies** to patch **two actively exploited vulnerabilities** in **Synacor Zimbra Collaboration Suite (ZCS)** and **Microsoft Office SharePoint**, creating i...
Timeline
-
23.09.2025 18:07 1 articles · 8mo ago
GeoServer fixes CVE-2024-36401
Mitigation Patch UpdateA fix for CVE-2024-36401, a critical remote code execution vulnerability in GeoServer, became available on June 18, 2024.
Show sources
- CISA says hackers breached federal agency using GeoServer exploit — www.bleepingcomputer.com — 23.09.2025 18:07
-
23.09.2025 18:07 1 articles · 8mo ago
CVE-2024-36401 attacks begin and exposure is broad
Campaign Scope UpdateThreat monitoring saw CVE-2024-36401 attacks starting on July 9, 2024, while ZoomEye tracked more than 16,000 GeoServer servers exposed online.
Show sources
- CISA says hackers breached federal agency using GeoServer exploit — www.bleepingcomputer.com — 23.09.2025 18:07
-
23.09.2025 18:07 1 articles · 8mo ago
EDR detects suspected malware on the agency SQL Server
Detection Ioc UpdateThe unnamed U.S. federal civilian executive branch agency's Endpoint Detection and Response tool flagged a file as suspected malware on an SQL Server on July 31, 2024, prompting SOC isolation of the server and a CISA-assisted investigation after three weeks of undetected activity.
Show sources
- CISA says hackers breached federal agency using GeoServer exploit — www.bleepingcomputer.com — 23.09.2025 18:07
-
23.09.2025 18:07 3 articles · 8mo ago
CISA discloses the federal GeoServer breach and response guidance
Initial DisclosureCISA disclosed on September 23, 2025 that attackers breached the unnamed U.S. federal civilian executive branch agency after compromising an unpatched GeoServer instance, uploaded or attempted to upload web shells such as China Chopper, and used brute force techniques and service-account abuse for lateral movement and privilege escalation; CISA also urged faster patching of Known Exploited Vulnerabilities, continuous EDR monitoring, and stronger incident response plans.
Show sources
- CISA says hackers breached federal agency using GeoServer exploit — www.bleepingcomputer.com — 23.09.2025 18:07
- CISA says hackers breached federal agency using GeoServer exploit — www.bleepingcomputer.com — 23.09.2025 18:07
- CISA: Attackers Breach Federal Agency via Critical GeoServer Flaw — www.darkreading.com — 25.09.2025 00:20