CVE-2024-36401: GeoServer RCE Exploited at US Federal Agency — CISA IR Lessons

A critical remote code execution vulnerability in GeoServer — tracked as CVE-2024-36401 (CVSS v3.1 score 9.8, rated Critical) — was exploited against a United States federal civilian executive branch (FCEB) agency, remaining undetected for approximately three weeks before the agency's endpoint detection and response (EDR) tool generated alerts. CISA advisory AA25-266A, published September 23, 2025, documents the engagement and extracts three lessons every organization running internet-facing services should act on immediately.

// 01 CVE-2024-36401: Technical Details

CVE-2024-36401 (CVSS v3.1 9.8 — Critical; remotely exploitable with no authentication or user interaction required) is a remote code execution vulnerability in GeoServer, an open-source Java-based server that allows organizations to share and edit geospatial data using open standards such as WMS (Web Map Service), WFS (Web Feature Service), and WCS (Web Coverage Service). GeoServer is widely deployed by government agencies, utilities, environmental organizations, and research institutions that publish geographic data over the web.

The root cause of CVE-2024-36401 is unsafe OGC filter evaluation (OGC — Open Geospatial Consortium, the standards body that defines GeoServer's query format). GeoServer's OGC filter evaluation passes property names through the OGCFilterTransformer, which evaluates them as XPath expressions using the GeoTools library. An unauthenticated attacker can craft a malicious OGC request — a query that, on any compliant GeoServer endpoint, triggers evaluation of attacker-controlled code.

In plain terms: an attacker sends a specially crafted HTTP request to any public GeoServer endpoint, and the server executes the attacker's commands with the privileges of the GeoServer process. No login required. No interaction from a victim needed.

Affected versions are GeoServer prior to 2.23.6, 2.24.4, and 2.25.1. Patched versions were released in June 2024. The CVE was added to CISA's KEV (Known Exploited Vulnerabilities) catalog — the list maintained by the U.S. Cybersecurity and Infrastructure Security Agency confirming active exploitation in the wild — shortly after disclosure.

What Happened at the Federal Agency

Cyber threat actors exploited CVE-2024-36401 to gain initial access to a U.S. FCEB agency's GeoServer instance approximately three weeks before any alerts were generated. During that three-week window, the attackers:

• Gained a second, separate initial access foothold on a different GeoServer instance via the same vulnerability — establishing redundant access in case the primary foothold was discovered
• Moved laterally from the compromised GeoServer to at least two additional internal servers

The EDR (Endpoint Detection and Response — security software deployed on individual computers that monitors for malicious behavior) eventually generated alerts that prompted the agency to contact CISA. CISA conducted the incident response engagement and found the attackers had been resident in the network for weeks before detection.

// 02 Who Is Affected

GeoServer is deployed in:

• Government agencies at federal, state, and local levels (geographic data for planning, emergency management, infrastructure mapping)
• Utilities (electrical, water, gas — infrastructure mapping)
• Universities and research institutions
• Environmental and conservation organizations
• Any organization that publishes open geospatial data over a web interface

A 2024 Shodan scan (Shodan is a search engine that indexes internet-connected devices and services) found thousands of publicly accessible GeoServer instances. Organizations that have not patched to GeoServer 2.23.6, 2.24.4, or 2.25.1 and whose GeoServer is accessible from the internet should treat their systems as potentially compromised regardless of whether they have observed alerts.

// 03 Three Lessons CISA Extracted from the Engagement

CISA was explicit: this advisory exists not just to document one breach, but to prevent others. The three lessons apply broadly to any organization operating internet-facing services.

Lesson 1: Vulnerabilities Were Not Promptly Remediated

The GeoServer instance at the affected agency had a known, publicly disclosed vulnerability with a CVSS score of 9.8 — the maximum severity level — that had been available for patching for an extended period before exploitation. Prompt patch application for internet-facing services, particularly those with Critical CVSS scores, is the single most effective control available.

The lesson is not simply "patch faster" — it is that internet-facing services must be in a separate, prioritized patching tier. An internal application on a private network with a CVSS 9.8 vulnerability is serious. The same vulnerability on a public-facing server is an imminent breach waiting to be executed.

Lesson 2: The Incident Response Plan Was Not Tested

When the EDR alerts finally triggered, the agency's incident response plan had not been exercised. Untested IR plans create confusion, slow down containment, and allow attackers more time inside the network. A plan that exists in a document but has never been practiced is not a security control — it is a false comfort.

CISA specifically recommends tabletop exercises (structured walkthroughs of simulated incidents where the IR team talks through their response step by step) and functional exercises (hands-on simulations using real tools in a test environment). These should be conducted at minimum annually, with critical-infrastructure organizations doing them quarterly.

Lesson 3: EDR Alerts Were Not Continuously Reviewed

The attackers had three weeks inside the network before EDR alerts were noticed. This is not a failure of the EDR technology — it is a failure of the process that determines who reviews EDR alerts, how often, and with what response time commitment.

This pattern is well-documented in breach post-mortems: attackers frequently trigger EDR or SIEM (Security Information and Event Management) alerts during their intrusion, but those alerts go unreviewed for days or weeks because teams are understaffed, alert queues are too long, or the alerts are deprioritized.

Some of the agency's public-facing systems also lacked endpoint protection entirely — a gap that allowed the lateral movement servers to be compromised without generating any endpoint telemetry.

// 04 Exploitation Status and Threat Landscape

CVE-2024-36401 was actively exploited by multiple threat actors upon disclosure, including Volt Typhoon (a China-nexus APT focused on critical infrastructure) and criminal ransomware affiliates. The GeoServer vulnerability's combination of zero-authentication, maximum CVSS score, and widespread deployment in government and critical infrastructure made it a priority target.

The CISA advisory does not attribute the federal agency breach to a specific threat actor, focusing instead on the defender lessons rather than the attacker identity. Given the GeoServer deployment profile (government geographic data), the context is consistent with nation-state intelligence collection targeting.

// 05 What You Should Do Right Now

• Check your GeoServer version immediately: In the GeoServer admin UI, the version is displayed in the top-right corner. Any version below 2.23.6, 2.24.4, or 2.25.1 is vulnerable.

# If GeoServer runs as a service, check the WAR or JAR version:
find /opt/geoserver /var/lib/geoserver -name "*.jar" | xargs ls -la | grep geoserver

• Apply patches: Download patched releases from the official GeoServer GitHub releases page. Test in a staging environment, then deploy to production. If you cannot patch immediately, restrict access to the GeoServer admin interface and OGC endpoints via IP allowlist.

• Conduct a threat hunt: If your GeoServer was internet-accessible and unpatched, assume compromise. Review:
• Web server access logs for unusual OGC filter query strings
• Outbound network connections from the GeoServer host (unexpected destinations, unusual ports)
• New files or scheduled tasks created on the GeoServer host
• Lateral movement indicators on adjacent servers

• Audit EDR coverage: Identify any internet-facing servers lacking endpoint protection. Add coverage before patching is complete — EDR is a compensating control when patches cannot be applied immediately.

• Establish an EDR alert review SLA: Define who reviews alerts, how often, and what the maximum response time is for Critical vs. High severity alerts. If the queue is too long for the team to review within 24 hours, reduce alert noise or increase staffing.

• Schedule an IR tabletop exercise: CISA's CISA Tabletop Exercise Packages (CTEPs) are available free of charge and include scenarios relevant to federal and critical infrastructure organizations.

// 06 Background: Understanding the Risk

GeoServer sits at an interesting intersection of risk factors: it is open-source software with broad adoption, often maintained by small IT teams without dedicated security staff, deployed in government agencies whose infrastructure data has intelligence value, and commonly internet-facing to serve public map data.

The OGC filter evaluation class of vulnerability — where query evaluation logic is insufficiently sandboxed — has appeared in multiple geospatial and data processing platforms. Similar RCE vulnerabilities have affected GeoTools (the underlying library), Elasticsearch, Solr, and other platforms that evaluate complex query expressions server-side. The common thread: any platform that parses and executes user-supplied expressions needs to carefully sandbox that evaluation to prevent code execution.

The CVE-2024-36401 disclosure and patch were followed by rapid public PoC (Proof-of-Concept — working exploit code released publicly) release, which reduced the time defenders had to patch before attacks began. By the time CISA documented this federal breach, exploit code had been publicly available for months.

// 07 Conclusion

CVE-2024-36401 (CVSS 9.8) in GeoServer enabled a threat actor to access a U.S. federal agency's network for three undetected weeks. CISA AA25-266A distills the incident into three actionable lessons: patch internet-facing services promptly, test your incident response plan before an incident happens, and ensure EDR alerts are reviewed continuously. Organizations still running unpatched GeoServer should treat this as an active emergency — not a future to-do.