Cisa shares lessons learned from an incident response engagement

Intel Name: Cisa shares lessons learned from an incident response engagement

Date of Scan: September 24, 2025

Impact: High

Summary:
During its incident response efforts, determined that cyber threat actors infiltrated the agency’s network on July 11, 2024, by exploiting a critical vulnerability—CVE-2024-36401 [CWE-95: “Eval Injection”]—in a public-facing GeoServer instance (referred to as GeoServer 1). This vulnerability, publicly disclosed on June 30, 2024, enables unauthenticated remote code execution (RCE) on vulnerable GeoServer versions. The attackers leveraged this flaw to deploy open-source tools and scripts, establishing persistent access within the network. Following the compromise of GeoServer 1, the threat actors separately exploited the same vulnerability to gain initial access to a second instance, GeoServer 2, on July 24, 2024. They also moved laterally from GeoServer 1 to other systems, including a web server and a Structured Query Language (SQL) server. On each compromised host, they uploaded or attempted to upload web shells—such as China Chopper—and various scripts intended for remote access, maintaining persistence, executing commands, and escalating privileges. Additionally, the attackers employed “living off the land” (LOTL) techniques to blend in with legitimate system activity.

More Details