GeoServer flaw exploited in global malware campaigns - #CVE-2024-36401
A critical vulnerability in GeoServer, identified as CVE-2024-36401 with a CVSS score of 9.8, has been actively exploited since its disclosure on June 30, 2024. This flaw allows for unauthenticated remote code execution due to unsafe evaluation of property names as XPath expressions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities catalog and issued directives for federal agencies to patch the flaw by August 5. Multiple threat actors have leveraged this vulnerability to deploy various types of malware, including botnets, cryptocurrency miners, and sophisticated backdoors linked to Chinese threat group APT41. GeoServer maintainers have released patches to address the issue, and organizations are urged to update immediately to prevent exploitation. The vulnerability has had a significant impact globally, targeting entities in the U.S., China, Germany, and other regions, emphasizing the need for timely mitigation and robust security measures.