cbcvebase.
CVE-2023-25157
published 2023-02-21

CVE-2023-25157: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.25%
99.7th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.

Affected

7 ranges
VendorProductVersion rangeFixed in
geoservergeoserver< 2.21.42.21.4
geoservergeoserver
osgeogeoserver< 2.18.72.18.7
osgeogeoserver>= 2.19.0 < 2.19.72.19.7
osgeogeoserver>= 2.20.0 < 2.20.72.20.7
osgeogeoserver>= 2.21.0 < 2.21.42.21.4
osgeogeoserver>= 2.22.0 < 2.22.22.22.2

Detection & IOCsextracted from sources · hover to see the quote

domaincheckblacklistwords[.]eu
urlcheckblacklistwords[.]eu/c.txt
urlcheckblacklistwords[.]eu/words.txt
urlhttp://checkblacklistwords[.]eu/list.txt
path%TEMP%/bat.bat
path%TEMP%\c.ps1
path%APPDATA%\Drivers\Windows.Gaming.Preview.exe
filenameWindows.Gaming.Preview.exe
mutexfqziwqjwgwzscvfy
versionVenom RAT + HVNC + Stealer + Grabber v6.0.3
otherScheduled task: Windows.Gaming.Preview (runs every 3 minutes)
url/geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&CQL_FILTER=strStartswith({{column}},%27%27%27%27)=true
otherServer_signa_ture = TtHk/GR7jC2p75o/t7g/BLsDYghocYu2
  • Detect exploitation attempts via CQL_FILTER parameter using strStartsWith, strEndsWith, or PropertyIsLike with SQL injection payloads in GeoServer WFS/WMS/WCS endpoints
  • Detect exploitation attempts via FeatureId parameter in GeoServer OGC Filter requests; enable preparedStatements to mitigate
  • Alert on HTTP responses from GeoServer OGC endpoints containing 'SQL SELECT' in the body, which indicates a SQL injection error response leaking query structure
  • Hunt for scheduled task creation named 'Windows.Gaming.Preview' running every three minutes as a VenomRAT persistence indicator
  • Hunt for process named 'Windows.Gaming.Preview' on Windows endpoints as an indicator of VenomRAT execution
  • Detect VenomRAT C2 commands in network traffic: plu_gin, HVNCStop, loadofflinelog, save_Plugin, runningapp, keylogsetting, init_reg, Po_ng, filterinfo
  • Use Shodan/FOFA queries to identify exposed GeoServer instances for proactive patching: title:"geoserver" or app="geoserver"
  • ·The Server_certificate field in the VenomRAT config is truncated; full certificate value was not published, limiting TLS-based C2 fingerprinting
  • ·The Nuclei detection template triggers on 'SQL SELECT' in the response body, which requires the backend to be PostGIS; non-PostGIS GeoServer deployments may not produce this error string

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.