Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 to Launch Malware Campaigns

by do son · September 6, 2024

GOREVERSE’s log | Image: FortiGuard Labs

Cybersecurity researchers at FortiGuard Labs have observed multiple campaigns targeting a critical vulnerability in GeoServer, an open-source geospatial data server. Identified as CVE-2024-36401, this remote code execution (RCE) flaw carries a CVSS score of 9.8, marking it as a severe threat to organizations that use GeoServer to manage and share geospatial data. The vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems, leading to serious consequences such as malware deployment, data theft, or unauthorized system control.

GeoServer, a Java-based platform, is widely used for sharing, editing, and managing geospatial data. It is a reference implementation of the Open Geospatial Consortium (OGC) standards, including the Web Feature Service (WFS) and Web Coverage Service (WCS). However, a critical flaw was discovered in how GeoServer evaluates certain request parameters using XPath expressions.

The vulnerability stems from unsafely handling user input within the UMTX_OP_SHM operation, which provides anonymous shared memory for process-shared mutexes. When exploited, attackers can inject specially crafted inputs to trigger remote code execution, allowing them to execute malicious scripts or commands on the server.

The most common payload identified during the exploitation of CVE-2024-36401 is the GOREVERSE malware, a reverse proxy tool designed to give attackers access to compromised systems. Once executed, GOREVERSE establishes a connection to a command-and-control (C2) server, allowing threat actors to exfiltrate sensitive data, deploy additional malware, or maintain persistence within the network.

In some cases, attackers have also deployed the SideWalk malware, a sophisticated backdoor often associated with APT41, a notorious state-sponsored hacking group. SideWalk is highly stealthy and is capable of operating on multiple architectures, including ARM, MIPS, and X86, making it a versatile tool for targeting diverse systems.

Additionally, researchers have also discovered many other malware exploiting this vulnerability, including

Mirai Variant – JenX: A botnet known for its distributed denial-of-service (DDoS) capabilities and exploitation of vulnerabilities in Huawei routers.
Condi: Another botnet with DDoS capabilities and backdoor functionalities.
CoinMiners: Various cryptocurrency miners designed to hijack system resources for illicit cryptocurrency mining operations.

FortiGuard Labs has observed widespread exploitation of this vulnerability, with significant activity targeting IT service providers in India, technology firms in the U.S., government agencies in Belgium, and telecommunications companies in Thailand and Brazil. This global spread indicates that the vulnerability is being exploited in sophisticated, coordinated attacks aimed at critical infrastructure and key industries.

Attackers often initiate the exploitation by sending malicious payloads to vulnerable GeoServer installations. The payload typically downloads a script that checks the victim’s operating system and architecture before downloading and executing the appropriate malware. The attack chain continues with further stages designed to escalate privileges, establish persistence, and evade detection.

GeoServer project maintainers have addressed the vulnerability in versions 2.23.6, 2.24.4, and 2.25.2 by replacing the vulnerable XPath evaluation function with a safer alternative. Organizations running older versions of GeoServer are strongly urged to upgrade to these patched versions immediately.