CISA Issues Warning on Active Exploitation of GeoServer GeoTools RCE Vulnerability

July 16, 2024

CISA has alerted about the active exploitation of a critical GeoServer GeoTools remote code execution vulnerability, identified as CVE-2024-36401. GeoServer is an open-source server widely used for sharing, processing, and editing geospatial data. The vulnerability was disclosed by GeoServer on June 30th, with a severity rating of 9.8, indicating its critical nature. The vulnerability stems from unsafe evaluation of property names as XPath expressions in GeoTools plugin.

As per the GeoServer advisory, "The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions." This vulnerability affects all GeoServer instances as the XPath evaluation, meant only for complex feature types, is incorrectly applied to simple feature types as well.

While the vulnerability was not being exploited at the time of disclosure, researchers soon released proof of concept exploits that showcased how to perform remote code execution on exposed servers and open reverse shells, make outbound connections, or create a file in the /tmp folder. In response, GeoServer released patches in versions 2.23.6, 2.24.4, and 2.25.2, urging all users to upgrade. The developers also provided workarounds, but cautioned that these might disrupt some GeoServer functionalities.

CISA included CVE-2024-36401 in its Known Exploited Vulnerabilities Catalog on July 9th, indicating its active exploitation. The agency mandated federal agencies to apply the patches by August 5, 2024. The threat monitoring service Shadowserver confirmed that they had observed active exploitation of the flaw starting from July 9th. Meanwhile, OSINT search engine ZoomEye reported that around 16,462 GeoServer servers are exposed online, with the majority located in the US, China, Romania, Germany, and France.

While CISA's Known Exploited Vulnerabilities Catalog is primarily aimed at federal agencies, private organizations using GeoServer are also urged to prioritize patching this vulnerability to avoid potential attacks. Those who have not yet patched are advised to immediately upgrade to the latest version and conduct a thorough review of their system and logs for possible compromise.

Latest News

• Void Banshee APT Exploits Microsoft Zero-Day to Launch Spear-Phishing Attacks
• HardBit Ransomware 4.0 Utilizes Passphrase Protection to Elude Detection
• Rapid Exploitation of PoC Exploits by Hackers: A Cloudflare Security Report
• Critical Vulnerability in Exim Mail Servers Affects 1.5 Million Instances
• Akira Ransomware: Accelerated Data Exfiltration in Roughly Two Hours