TLDR:
- A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer GeoTools is being exploited by hackers to deliver backdoors, botnet malware, and cryptocurrency miners.
- The vulnerability has been actively exploited, with attacks targeting IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.
A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer GeoTools has been exploited by hackers to deliver cryptocurrency miners, botnet malware, and a known backdoor called SideWalk. This flaw, with a CVSS score of 9.8, allows attackers to take over susceptible instances, and it was added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog in mid-July. The attacks have targeted IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil. One attack chain has been observed delivering an advanced Linux backdoor called SideWalk, attributed to Chinese threat actor APT41. The attacks are sophisticated and widespread, targeting regions in South America, Europe, and Asia.