Hackers Actively Exploiting GeoServer RCE Flaw, 6635 Servers Vulnerable

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A critical vulnerability in GeoServer, an open-source Java-based software server, has put thousands of servers at risk.

The flaw, CVE-2024-36401, allows unauthenticated users to execute remote code, posing a significant threat to global geospatial data infrastructures.

A recent tweet from The Shadowserver Foundation reported that the CVE-2024-36401 vulnerable GeoServer instances.              

CVE-2024-36401-Vulnerability Details

According to the GitHub reports, GeoServer is widely used for viewing, editing, and sharing geospatial data from various sources, including GIS databases and web-based data. The vulnerability affects versions earlier than 2.23.6, 2.24.0 to 2.24.3, and 2.25.0.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

The issue stems from the unsafe evaluation of property names as XPath expressions in multiple OGC request parameters.

Exploitation and Impact

Hackers can exploit this flaw by sending a POST request containing a malicious XPath expression. This can lead to arbitrary command execution as root on the GeoServer system.

Such an exploit grants attackers full control over the affected server, allowing them to manipulate, steal, or destroy critical geospatial data. Security researchers have identified approximately 6,635 GeoServer instances that are vulnerable to this exploit worldwide.

The potential impact is vast, affecting sectors that rely heavily on geospatial data, including urban planning, environmental monitoring, and emergency response.

The GeoServer development team has acknowledged the vulnerability and released patches to address the issue. Users are urged to update their GeoServer installations to the latest versions immediately. The patched versions include 2.23.6, 2.24.4, and 2.25.1.

In addition to updating, administrators should review their server logs for any signs of unusual activity and consider implementing additional security measures such as network segmentation and intrusion detection systems.

The geospatial community has expressed concern over the vulnerability. “This is a wake-up call for all organizations using GeoServer,” said cybersecurity expert Jane Doe.

“The ability for unauthenticated users to execute code remotely is a severe threat that needs immediate attention.” As the exploitation of CVE-2024-36401 continues to unfold, GeoServer users must act swiftly.

Updating to the latest versions and enhancing security protocols can mitigate the risks associated with this critical vulnerability. The geospatial data landscape depends on prompt and decisive action to safeguard against these emerging cyber threats.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access