A critical remote code execution vulnerability in GeoServer, designated CVE-2024-36401, has been exploited by cybercriminals to deploy cryptocurrency mining malware. The attacks have targeted unpatched GeoServer installations, compromising both Windows and Linux environments. Threat actors have used sophisticated malware payloads, including remote access tools and cryptocurrency miners, to hijack system resources for illicit mining operations. The malware campaign has demonstrated remarkable persistence and technical sophistication, with documented cases in South Korea. The attacks have significantly degraded system performance and increased operational costs for victims.
Source: https://cybersecuritynews.com/hackers-exploiting-geoserver-rce-vulnerability/
TPRM report: https://scoringcyber.rankiteo.com/company/geosolutionsgroup
"id": "geo400071125",
"linkid": "geosolutionsgroup",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['South Korea'], 'type': 'Organizations'}],
'attack_vector': 'Remote Code Execution',
'date_detected': '2024',
'date_publicly_disclosed': '2024',
'description': 'A critical remote code execution vulnerability in GeoServer '
'has become a prime target for cybercriminals deploying '
'cryptocurrency mining malware across global networks.',
'impact': {'operational_impact': 'Degraded system performance and increased '
'operational costs',
'systems_affected': ['Windows', 'Linux']},
'initial_access_broker': {'backdoors_established': 'NetCat',
'entry_point': 'Unpatched GeoServer installations'},
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'Unpatched GeoServer installations'},
'references': [{'date_accessed': '2024', 'source': 'ASEC'}],
'title': 'Cryptocurrency Mining Malware Exploiting GeoServer Vulnerability',
'type': 'Cryptocurrency Mining Malware',
'vulnerability_exploited': 'CVE-2024-36401'}