CVE-2023-25157
published 2023-02-21CVE-2023-25157: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
85.25%
99.7th percentile
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.21.4 | 2.21.4 |
| geoserver | geoserver | — | — |
| osgeo | geoserver | < 2.18.7 | 2.18.7 |
| osgeo | geoserver | >= 2.19.0 < 2.19.7 | 2.19.7 |
| osgeo | geoserver | >= 2.20.0 < 2.20.7 | 2.20.7 |
| osgeo | geoserver | >= 2.21.0 < 2.21.4 | 2.21.4 |
| osgeo | geoserver | >= 2.22.0 < 2.22.2 | 2.22.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/geoserver/ows?service=WFS&version=1.0.0&request=GetFeature&typeName={{name}}&CQL_FILTER=strStartswith({{column}},%27%27%27%27)=true
- →Detect exploitation attempts via CQL_FILTER parameter using strStartsWith, strEndsWith, or PropertyIsLike with SQL injection payloads in GeoServer WFS/WMS/WCS endpoints ↗
- →Detect exploitation attempts via FeatureId parameter in GeoServer OGC Filter requests; enable preparedStatements to mitigate ↗
- →Alert on HTTP responses from GeoServer OGC endpoints containing 'SQL SELECT' in the body, which indicates a SQL injection error response leaking query structure
- →Hunt for scheduled task creation named 'Windows.Gaming.Preview' running every three minutes as a VenomRAT persistence indicator ↗
- →Hunt for process named 'Windows.Gaming.Preview' on Windows endpoints as an indicator of VenomRAT execution ↗
- →Detect VenomRAT C2 commands in network traffic: plu_gin, HVNCStop, loadofflinelog, save_Plugin, runningapp, keylogsetting, init_reg, Po_ng, filterinfo ↗
- →Use Shodan/FOFA queries to identify exposed GeoServer instances for proactive patching: title:"geoserver" or app="geoserver"
- ·The Server_certificate field in the VenomRAT config is truncated; full certificate value was not published, limiting TLS-based C2 fingerprinting ↗
- ·The Nuclei detection template triggers on 'SQL SELECT' in the response body, which requires the backend to be PostGIS; non-PostGIS GeoServer deployments may not produce this error string
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
GeoServer OGC Filter SQL Injection Vulnerabilities
osv·2023-02-22
CVE-2023-25157 [CRITICAL] GeoServer OGC Filter SQL Injection Vulnerabilities
GeoServer OGC Filter SQL Injection Vulnerabilities
### Impact
GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages.
SQL Injection Vulnerabilities have been found with:
* ``PropertyIsLike`` filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled
* ``strEndsWith`` function, when used with a PostGIS DataStore with encode functions enabled
* ``strStartsWith`` function, when used with a PostGIS DataStore with encode functions enabled
* ``FeatureId`` filter, when used with any database table having a S
GHSA
GeoServer OGC Filter SQL Injection Vulnerabilities
ghsa·2023-02-22
CVE-2023-25157 [CRITICAL] CWE-89 GeoServer OGC Filter SQL Injection Vulnerabilities
GeoServer OGC Filter SQL Injection Vulnerabilities
### Impact
GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages.
SQL Injection Vulnerabilities have been found with:
* ``PropertyIsLike`` filter, when used with a String field and any database DataStore, or with a PostGIS DataStore with encode functions enabled
* ``strEndsWith`` function, when used with a PostGIS DataStore with encode functions enabled
* ``strStartsWith`` function, when used with a PostGIS DataStore with encode functions enabled
* ``FeatureId`` filter, when used with any database table having a S
VulnCheck
OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-25157 [CRITICAL] OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *prepared
No detection rules found.
Nuclei
GeoServer OGC Filter - SQL Injection
nuclei·CVSS 9.8
CVE-2023-25157 [CRITICAL] GeoServer OGC Filter - SQL Injection
GeoServer OGC Filter - SQL Injection
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
Temp
Dfir Report
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
blogs_dfir_report·2023-12-18
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Bleepingcomputer
Fake WinRAR proof-of-concept exploit drops VenomRAT malware
blogs_bleepingcomputer·2023-09-20·CVSS 9.8
[CRITICAL] Fake WinRAR proof-of-concept exploit drops VenomRAT malware
## Fake WinRAR proof-of-concept exploit drops VenomRAT malware
## Bill Toulas
A hacker is spreading a fake proof-of-concept (PoC) exploit for a recently fixed WinRAR vulnerability on GitHub, attempting to infect downloaders with the VenomRAT malware.
The fake PoC exploit was spotted by Palo Alto Networks' Unit 42 team of researchers, who reported that the attacker uploaded the malicious code to GitHub on August 21, 2023.
The attack is no longer active, but it once again highlights the risks of sourcing PoCs from GitHub and running them without additional scrutiny to ensure they're safe.
## Spreading the WinRAR PoC
The fake PoC is for the CVE-2023-40477 vulnerability, an arbitrary code execution vulnerability that can be triggered when specially crafted RAR files are opened on WinRAR
Unit42
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
blogs_unit42·2023-09-19·CVSS 9.8
CVE-2023-40477 [CRITICAL] Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
# Executive Summary
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477. They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository.
The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157. We analyzed the fake PoC script and all the links in the in
Unit42
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
blogs_unit42·2023-09-19·CVSS 9.8
CVE-2023-40477 [CRITICAL] Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Threat Research Center
Threat Research
Vulnerabilities
## Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
Robert Falcone
Published: September 19, 2023
Malware
Threat Research
Vulnerabilities
CVE-2023-25157
CVE-2023-40477
Proof of Concept
Remote Access Trojan
Remote Code Execution
Social engineering
VenomRAT
WinRAR
## Executive Summary
Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477 . They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of w
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1dhttps://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccfhttps://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1dhttps://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf
2023-02-21
Published
Exploited in the wild