What is GeoServer?
GeoServer is the most widely deployed open-source geospatial server, used by governments, militaries, research institutions, utilities, and commercial organizations to publish and share geographic information via OGC-standard web services (WMS, WFS, WCS, WPS). GeoServer instances are commonly exposed to the internet to allow public map services and data sharing. National mapping agencies, environmental agencies, defense contractors, and critical infrastructure operators run GeoServer — making it a high-value target for nation-state intelligence collection and for attackers targeting organizations with sensitive geospatial data.
Overview
CVE-2024-36401 is an improper code evaluation (eval injection, CWE-95) vulnerability in GeoServer through its underlying GeoTools library. GeoServer's OGC filter evaluation — used to filter geospatial features in WMS, WFS, and WPS requests — evaluates property name expressions using GeoTools' XPath evaluation engine. Due to a design flaw, property names supplied in OGC filter parameters are passed to eval() as XPath expressions without adequate sanitization. An unauthenticated attacker can supply a malicious property name containing a Java expression that executes arbitrary code on the GeoServer host. CISA added it to the KEV catalog just two weeks after the patch, indicating immediate exploitation by multiple threat actors.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| GeoServer 2.23.x | < 2.23.6 | 2.23.6 |
| GeoServer 2.24.x | < 2.24.4 | 2.24.4 |
| GeoServer 2.25.x | < 2.25.2 | 2.25.2 |
| GeoServer < 2.23.0 | All earlier versions | Upgrade to a patched branch |
Technical Details
The eval injection (CWE-95) is in GeoTools' ComplexFilterSplitter and related OGC filter processing code. When GeoServer evaluates an OGC filter (e.g., in a WMS GetMap request or WFS GetFeature request), it passes property name values through an XPath evaluation engine that supports extended expression syntax. The XPath engine uses property('name') and similar accessor functions implemented using Java reflection and expression evaluation.
The core flaw: Property names in OGC filters are supposed to be simple identifiers (column names), but GeoTools passes them directly to the expression evaluator without restricting the allowed expression syntax. An attacker can supply a property name like:
exec(java.lang.Runtime.getRuntime(),'id')
or other Java expressions that invoke OS commands, download and execute payloads, or read sensitive files.
No authentication required: The vulnerable OGC endpoints (/ows, /wms, /wfs) are public-facing in most GeoServer deployments — no login is needed to send a filter request. This makes the vulnerability exploitable by any internet-connected attacker.
Discovery
The vulnerability was discovered by Steve Ikeoka, who reported it to the GeoServer security team. The GeoTools library fix (restricting expression types in property name evaluation) was implemented in the GeoTools 29.2/30.4/31.1 releases corresponding to the GeoServer fixes.
Exploitation Context
CISA added CVE-2024-36401 to the KEV catalog on July 15, 2024 — just two weeks after the patch, indicating exploitation began within days of public disclosure (or possibly before). Palo Alto Unit 42 and other threat intelligence teams documented multiple threat actor groups actively exploiting this vulnerability:
- SideWinder APT: A South Asia-focused threat actor used CVE-2024-36401 to target GeoServer instances at government and military organizations
- Multiple Chinese APT groups: Targeted government mapping agencies and defense-adjacent organizations
- Opportunistic attackers: Mass scanning for vulnerable GeoServer instances began within 24–48 hours of public disclosure
The attack surface is significant: hundreds of GeoServer instances were internet-exposed and unpatched during the exploitation window.
Remediation
- Upgrade GeoServer to 2.23.6, 2.24.4, or 2.25.2 immediately. The CISA deadline was August 5, 2024.
- Block external access to OGC endpoints if public access is not required — restrict
/ows,/wms,/wfs,/wcs, and/wpsendpoints to known IP ranges. - Implement a WAF rule to block requests where OGC filter
PropertyNameelements contain parentheses, Java class references, or expression syntax — these indicate exploitation attempts. - Audit GeoServer access logs for POST requests to OGC endpoints containing unusual property name values (especially requests with
exec,Runtime,Process, or Java class names in the body). - Check for new files in the GeoServer data directory — exploitation often results in web shell creation or download of secondary payloads.
- Update GeoTools library to a patched version if running GeoServer in an embedded or custom configuration.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2024-36401 |
| Vendor / Product | OSGeo — GeoServer |
| NVD Published | 2024-07-01 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-95 find similar ↗ |
| CISA KEV Added | 2024-07-15 |
| CISA KEV Deadline | 2024-08-05 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2024-07-01 | GeoServer 2.23.6, 2.24.4, and 2.25.2 released; CVE published |
| 2024-07-15 | CISA adds to KEV (2 weeks after patch — confirmed rapid active exploitation) |
| 2024-08-05 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| GitHub Security Advisory GHSA-6jj6-gm7p-fcvv — GeoServer CVE-2024-36401 | Vendor Advisory |
| GeoTools Fix — OGC Filter XPath Expression Safety | Vendor Advisory |
| NVD — CVE-2024-36401 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Palo Alto Unit 42 — CVE-2024-36401 GeoServer Exploitation | Security Research |