• Business

    US federal agency breached by hackers using GeoServer exploit, CISA says

    AnyFans Posted on

    By Sead Fadilpašić

    Copyright techradar

    US federal agency breached by hackers using GeoServer exploit, CISA says

    Skip to main content

    Tech Radar Pro

    Tech Radar Gaming

    Close main menu

    the business technology experts

    België (Nederlands)

    Deutschland

    North America

    US (English)

    Australasia

    New Zealand

    View Profile

    Search TechRadar

    Expert Insights

    Website builders

    Web hosting

    Best web hosting
    Best office chairs
    Best website builder
    Best antivirus
    Expert Insights

    Don’t miss these

    Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100 orgs – here’s what we know so far

    CISA flags some more serious Ivanti software flaws, so patch now

    CISA warns hackers are actively exploiting critical CitrixBleed 2

    Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now

    Microsoft seemingly confirms Chinese hackers behind SharePoint server attacks

    Hackers are exploiting a critical RCE Flaw in a popular FTP server — here’s what you need to know

    French government hit by Chinese hackers exploiting Ivanti security flaws

    Microsoft SharePoint attack now sees victim count rises to 400 organizations, including US nuclear agency

    SharePoint-ageddon attacks riddled with free Warlock ransomware – and thousands of services could be compromised

    Microsoft releases urgent SharePoint security flaw patches – here’s what you need to know, and how to update

    Top CMS Sitecore patches critical zero-day flaw being hit by hackers

    A clever new Linux malware is breaking into systems – and then shutting the door behind it to avoid detection

    Cisco ISE maximum severity flaw lets hackers execute root code

    Ransomware hackers could be targeting GoAnywhere MFT once again – here’s what we know

    Another major MOVEit flaw could be on the way – here’s what we know

    US federal agency breached by hackers using GeoServer exploit, CISA says

    Sead Fadilpašić

    24 September 2025

    A timely patching could have prevented the attack

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

    (Image credit: Shutterstock)

    Attackers exploited a critical GeoServer flaw to breach a US federal agency in July 2024
    China Chopper web shell enabled remote access and lateral movement across compromised systems
    CISA urges timely patching, tested response plans, and continuous alert monitoring

    In mid-July 2024, a threat actor managed to break into a US Federal Civilian Executive Branch (FCEB) agency by exploiting a critical remote code execution (RCE) vulnerability in GeoServer, the government has confirmed.

    In an in-depth report detailing the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) outlined how the attackers leveraged CVE-2024-36401, a 9.8/10 vulnerability that granted RCE capabilities through specially crafted input against a default GeoServer installation.
    GeoServer is an open source server platform that enables users to share, edit, and publish geospatial data using open standards.

    You may like

    Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100 orgs – here’s what we know so far

    CISA flags some more serious Ivanti software flaws, so patch now

    CISA warns hackers are actively exploiting critical CitrixBleed 2

    Lessons learned
    The vulnerability was disclosed on June 30, and added to CISA’s Known Exploited Vulnerabilities (KEV) catalog by July 15, but by that time, it was already too late since the miscreants established persistence on compromised endpoints.

    The damage could have been reduced with timely patching, though, as a second GeoServer instance was breached on July 24.
    Once inside, the attackers conducted extensive reconnaissance using tools like Burp Suite, fscan, and linux-exploit-suggester2.pl.
    They moved laterally across the network, compromising a web server and an SQL server, and deploying web shells on each system.

    Are you a pro? Subscribe to our newsletter
    Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
    Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
    Among them was China Chopper, a lightweight web shell used for remote access and control over compromised servers. Once installed, it allows attackers to execute commands, upload files, and pivot within networks.
    CISA did not attribute this attack to any known threat actor, but from previously reported incidents it is known that China Chopper is widely used by advanced persistent threat (APT) groups, particularly those linked to Chinese state-sponsored operations such as APT41.
    The goal of CISA’s report was to share lessons learned from the incident, and apparently those lessons are: patch your systems on time, make sure to have an incident response plan (and test/exercise it!), and continuously review alerts.
    Via BleepingComputer
    You might also like

    CISA is warning of a worrying Git security flaw, so stay alert
    Take a look at our guide to the best authenticator app
    We’ve rounded up the best password managers

    Sead Fadilpašić

    Social Links Navigation

    Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

    You must confirm your public display name before commenting

    Please logout and then login again, you will then be prompted to enter your display name.

    Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100 orgs – here’s what we know so far

    CISA flags some more serious Ivanti software flaws, so patch now

    CISA warns hackers are actively exploiting critical CitrixBleed 2

    Top file transfer tool CrushFTP says a thousand servers are still vulnerable to cyberattack, so patch now

    Microsoft seemingly confirms Chinese hackers behind SharePoint server attacks

    Hackers are exploiting a critical RCE Flaw in a popular FTP server — here’s what you need to know

    Latest in Security

    GitHub is finally tightening up security around npm following multiple attacks

    Watch out – even small businesses are now facing threats from deepfake attacks

    “It could be catastrophic to the city” – US Secret Service takes down massive million-dollar network of SIM cards it says was capable of taking down comms across New York

    Insurance firm AIL allegedly hit in cyberattack – hackers claim info on over 150,000 users stolen, here’s what we know

    Huge theft reportedly sees 2TB of private data stolen – police files hit in major breach

    Small business security warning – new malware is spoofing tools such as ChatGPT, Microsoft Office and Google Drive, so be on your guard

    Latest in News

    New Stranger Things season 5 trailer teases one last quest for the Hawkins crew – and lots of unseen footage for the hit Netflix show’s final hurrah

    Proton VPN’s no-logs policy holds up under scrutiny of fourth independent audit

    Fears of the death of Intel Arc GPUs may be exaggerated – despite Nvidia deal, a powerful new graphics card is rumored

    What is the release date for Peacemaker season 2 episode 6 on HBO Max and other streaming services?

    Two annoying Windows 11 bugs have finally been fixed – and it only took Microsoft a year

    WhatsApp users have been begging for message translations for two long years – and now it’s finally here

    LATEST ARTICLES

    New Stranger Things season 5 trailer teases one last quest for the Hawkins crew – and lots of unseen footage for the hit Netflix show’s final hurrah

    GitHub is finally tightening up security around npm following multiple attacks

    Quordle hints and answers for Thursday, September 25 (game #1340)

    NYT Connections hints and answers for Thursday, September 25 (game #837)

    NYT Strands hints and answers for Thursday, September 25 (game #571)

    TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

    Contact Future’s experts

    Terms and conditions

    Privacy policy

    Cookies policy

    Advertise with us

    Web notifications

    Accessibility Statement

    Future US, Inc. Full 7th Floor, 130 West 42nd Street,

    Please login or signup to comment

    Please wait…

    You Might Also Like