TZUTC: -0500
MSGID: 1530.consprcy@1:2320/105 2d3a804d
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
US federal agency breached by hackers using GeoServer exploit, CISA says

Date:
Wed, 24 Sep 2025 14:28:00 +0000

Description:
A timely patching could have prevented the attack, while proper monitoring
could have mitigated the threat.

FULL STORY

In mid-July 2024, a threat actor managed to break into a US Federal Civilian
Executive Branch (FCEB) agency by exploiting a critical remote code execution
(RCE) vulnerability in GeoServer, the government has confirmed. 

In an in-depth report detailing the incident, the US Cybersecurity and
Infrastructure Security Agency (CISA) outlined how the attackers leveraged
CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through
specially crafted input against a default GeoServer installation. 

GeoServer is an open source server platform that enables users to share, 
edit, and publish geospatial data using open standards.

Lessons learned 

The vulnerability was disclosed on June 30, and added to CISAs Known 
Exploited Vulnerabilities (KEV) catalog by July 15, but by that time, it was
already too late since the miscreants established persistence on compromised
endpoints. 

The damage could have been reduced with timely patching, though, as a second
GeoServer instance was breached on July 24. 

Once inside, the attackers conducted extensive reconnaissance using tools 
like Burp Suite, fscan, and linux-exploit-suggester2.pl. 

They moved laterally across the network, compromising a web server and an SQL
server , and deploying web shells on each system. 

Among them was China Chopper, a lightweight web shell used for remote access
and control over compromised servers. Once installed, it allows attackers to
execute commands, upload files, and pivot within networks. 

CISA did not attribute this attack to any known threat actor, but from
previously reported incidents it is known that China Chopper is widely used 
by advanced persistent threat (APT) groups, particularly those linked to
Chinese state-sponsored operations such as APT41. 

The goal of CISAs report was to share lessons learned from the incident, and
apparently those lessons are: patch your systems on time, make sure to have 
an incident response plan (and test/exercise it!), and continuously review
alerts. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/us-federal-agency-breached-by-hackers-u
sing-geoserver-exploit-cisa-says

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426