{"id":3020,"date":"2025-09-29T05:51:52","date_gmt":"2025-09-29T05:51:52","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/29\/federal-agency-compromised-via-geoserver-exploit-cisa-reveals\/"},"modified":"2025-09-29T05:51:52","modified_gmt":"2025-09-29T05:51:52","slug":"federal-agency-compromised-via-geoserver-exploit-cisa-reveals","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/29\/federal-agency-compromised-via-geoserver-exploit-cisa-reveals\/","title":{"rendered":"Federal Agency Compromised Via GeoServer Exploit, CISA Reveals"},"content":{"rendered":"<div>\n<p><img decoding=\"async\" src=\"https:\/\/ft365.org\/wp-content\/uploads\/2025\/06\/localimages\/ea721ff9-8ba4-4d88-b386-57e9e1606077.jpg?width=64&#038;height=64&#038;mode=crop&#038;scale=both&#038;format=webp\" alt=\"Photo of Phil Muncaster\" loading=\"lazy\"><\/p>\n<\/div>\n<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A federal agency was compromised last year after failures in vulnerability remediation, incident response and EDR log reviews, according to the US Cybersecurity and Infrastructure Security Agency (CISA).<\/p>\n<p>CISA claimed in a \u201clessons learned\u201d advisory published on September 23 that threat actors gained access to the agency\u2019s network on July 11, 2024, by exploiting CVE 2024-36401 on a public-facing GeoServer.<\/p>\n<p>That critical remote code execution (RCE) bug was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on July 15.<\/p>\n<p>The adversaries used the vulnerability to download open source tools and scripts and establish persistence in the agency\u2019s network, before exploiting the same flaw to access a second GeoServer over a week later.<\/p>\n<p>\u201cThey moved laterally from GeoServer 1 to a web server and then a Structured Query Language (SQL) server,\u201d CISA explained.<\/p>\n<p>\u201cOn each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber-threat actors also used living off the land (LOTL) techniques.\u201d<\/p>\n<p><em>Read more on US government breaches: CISA Claims Treasury Breach Did Not Impact Other Agencies.<\/em><\/p>\n<p>The adversaries relied mainly on brute-force techniques to obtain passwords for lateral movement and privilege escalation, and also accessed service accounts by exploiting their associated services, the report added.<\/p>\n<h2>Lessons Learned<\/h2>\n<p>CISA claimed the federal agency failed on several counts:<\/p>\n<ul>\n<li>It didn\u2019t remediate the GeoServer vulnerability quickly enough. Although it wasn\u2019t added to KEV until four days after the initial compromise, the CVE was patched by the vendor 11 days previously, on June 30. Exploitation of the second server occurred on July 24, which was within the KEV patching window<\/li>\n<li>The agency didn\u2019t test its incident response plan, and the plan itself didn\u2019t enable it to engage or allow third parties to access resources swiftly. This hampered CISA\u2019s own response efforts<\/li>\n<li>EDR alerts weren\u2019t continuously reviewed, meaning the malicious activity went undetected for three weeks. An alert on July 15 would have enabled swift containment of the threat<\/li>\n<li>The agency didn\u2019t apply EDR to all endpoints. Its web server lacked protection, for example<\/li>\n<\/ul>\n<p>\u201cCISA encourages all organizations to consider the lessons learned and apply the associated recommendations in the\u00a0Mitigations\u00a0section of this advisory to improve their security posture,\u201d the agency said.<\/p>\n<p>Exabeam security operations strategist, Gabrielle Hempel, argued the incident highlights that patching processes are still sub-optimal across government agencies.<\/p>\n<p>\u201cI know we keep saying \u2018expedite patching,\u2019 but the real need is automated enforcement,\u201d she added. \u201cIf a critical CVE is in KEV, patch it, or pull the system off the network. Leaving these exposed should no longer be an acceptable risk posture in any organization, especially in a federal landscape.&#8221;<\/p>\n<p>CISA did not name the federal civilian executive branch agency that was impacted by the compromise.\u00a0<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A federal agency was compromised last year after failures in vulnerability remediation, incident response and EDR log reviews, according to the US Cybersecurity and Infrastructure Security Agency (CISA). CISA claimed in a \u201clessons learned\u201d advisory published on September 23 that threat actors gained access to the agency\u2019s network on July 11, 2024, by exploiting CVE<\/p>\n","protected":false},"author":2,"featured_media":3021,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3020","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/3020-ade87df7-25f7-4aca-a107-3c9b90bd5b1a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3020"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3020\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3021"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3020"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}