Security News > 2024 > July > CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks

CISA is warning that a critical GeoServer GeoTools remote code execution flaw tracked as CVE-2024-36401 is being actively exploited in attacks.
On June 30th, GeoServer disclosed a critical 9.8 severity remote code execution vulnerability in its GeoTools plugin caused by unsafely evaluating property names as XPath expressions.
"The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions," reads the GeoServer advisory.
Yesterday, the US Cybersecurity and Infrastructure Security Agency added CVE-2024-36401 to its Known Exploited Vulnerabilities Catalog, warning that the flaw is being actively exploited in attacks.
While CISA did not provide any information on how the flaws were being exploited, the threat monitoring service Shadowserver said they observed CVE-2024-36401 being actively exploited starting on July 9th. OSINT search engine ZoomEye says that approximately 16,462 GeoServer servers are exposed online, most located in the US, China, Romania, Germany, and France.
CISA warns of actively exploited Linux privilege elevation flaw.
News URL
Related news
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
- CISA tags critical Ivanti EPM flaws as actively exploited in attacks (source)
- Critical PHP RCE vulnerability mass exploited in new attacks (source)
- Critical RCE flaw in Apache Tomcat actively exploited in attacks (source)
- CISA tags Microsoft .NET and Apache OFBiz bugs as exploited in attacks (source)
- CISA orders agencies to patch Linux kernel bug exploited in attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- CISA Flags Craft CMS Vulnerability CVE-2025-23209 Amid Active Attacks (source)
- CISA flags Craft CMS code injection flaw as exploited in attacks (source)
- PHP-CGI RCE Flaw Exploited in Attacks on Japan's Tech, Telecom, and E-Commerce Sectors (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-07-01 | CVE-2024-36401 | Code Injection vulnerability in multiple products GeoServer is an open source server that allows users to share and edit geospatial data. | 9.8 |