GeoServer flaw actively targeted by hackers, patch now

A critical vulnerability in GeoServer, tracked as CVE-2024-36401, is currently being actively exploited by attackers to gain control over vulnerable systems. GeoServer is an open-source Java-based server used to share and manage geospatial data, and this flaw has significant security implications.

The flaw is due to unsafe evaluation of certain property names as XPath expressions, which can be exploited by unauthenticated attackers by sending specially crafted requests. This vulnerability allows for remote code execution (RCE), enabling attackers to execute arbitrary code on compromised systems, malware deployment, cryptojacking, and botnet attacks.

The flaw is used to inject various malware, including:

• GOREVERSE: A reverse proxy server used to connect compromised systems to a command-and-control (C2) server.
• SideWalk: A Linux backdoor linked to the APT41 hacking group (a Chinese state-sponsored group) that uses advanced encryption techniques for data exfiltration and maintaining persistence.
• JenX: A variant of the Mirai botnet, used for distributed denial-of-service (DDoS) attacks.
• Condi Botnet: Another DDoS botnet used by attackers.
• Cryptocurrency Miners: Tools like XMRig that hijack system resources to mine cryptocurrency.

The attacks have concentrated on organizations in South America, Europe, and Asia. The attack campaigns have targeted a wide range of organizations, including:

• IT service providers in India
• Government entities in Belgium
• Technology companies in the U.S.
• Telecommunications companies in Thailand and Brazi

The vulnerability affects GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2. The GeoServer project maintainers released patches on July 1, 2024. Users are strongly encouraged to update to the latest versions to mitigate the risk.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-36401 to its Known Exploited Vulnerabilities (KEV) catalog on July 15, 2024.