CVE-2024-36401

Vulnerability updated 4 months ago (2024-11-29T14:44:40.710Z)

Download STIX

Preview STIX

CVE-2024-36401 is a critical remote code execution vulnerability discovered in GeoServer and GeoTools, both open source software used to distribute geospatial data. The flaw in the software design or implementation was first reported on Security Boulevard in July 2024. It was one of two vulnerabilities identified (along with CVE-2024-36404), posing a significant threat due to the potential for malicious actors to execute arbitrary code on vulnerable systems remotely. The vulnerability was subsequently exploited by threat actors, as reported by Fortinet FortiGuard Labs. Various malware families, including cryptocurrency miners, bots, and the SideWalk backdoor, were delivered through this exploit. The US Cybersecurity & Infrastructure Security Agency (CISA) added this bug to its known exploited vulnerabilities catalog, highlighting the seriousness of the issue. By September 2024, the cybersecurity firm Trend Micro revealed that a group dubbed Earth Baxia had been using the CVE-2024-36401 vulnerability in their attacks. Earth Baxia, suspected to originate from China, targeted government organizations in Taiwan and other Asia-Pacific countries. Their methods included spear-phishing emails and exploiting the aforementioned vulnerability in GeoServer software to deliver a remote code execution exploit.

Description last updated: 2024-10-17T11:52:21.307Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Vulnerability

CISA

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The threatActor Earth Baxia is associated with CVE-2024-36401.	Unspecified	2

Source Document References

Information about the CVE-2024-36401 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	6 months ago	Chinese APT Earth Baxia target APAC by exploiting GeoServer flaw
DARKReading	6 months ago	China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC
Contagio	6 months ago	2024-09-18 Earth Baxia APT - RIPCOY + SWORDLDR Samples (Spear-Phishing and GeoServer Exploit used to Target APAC)
Securityaffairs	6 months ago	Security Affairs newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	6 months ago	Multiple malware families delivered exploiting GeoServer GeoTools flaw CVE-2024-36401
Fortinet	6 months ago	Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 \| FortiGuard Labs
SANS ISC	7 months ago	A Survey of Scans for GeoServer Vulnerabilities - SANS Internet Storm Center
InfoSecurity-magazine	8 months ago	CISA: Patch Critical GeoServer GeoTools Bug Now
Securityaffairs	8 months ago	CISA adds OSGeo GeoServer GeoTools bug to its Known Exploited Vulnerabilities catalog
CISA	8 months ago	CISA Adds One Known Exploited Vulnerability to Catalog \| CISA
Checkpoint	8 months ago	8th July – Threat Intelligence Report - Check Point Research