FortiGuard Outbreak Alert: GeoServer RCE Attack
| Description | GeoServer is an open-source server written in Java which allow users to process geospatial data.
GeoServer has a vulnerability (CVE-2024-36401) where unauthenticated users could send specially crafted inputs to achieve remote code execution on the server.
The following versions of GeoServer is affected by CVE-2024-36401:
| ||||||
| CVE ID | CVE-2024-36401 (https://nvd.nist.gov/vuln/detail/CVE-2024-36401) | ||||||
| NDR Cloud Detection Rule | FortiNDR Cloud v2024.8.1+
| ||||||
| Playbook | N/A | ||||||
| Threat Hunting | FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “GeoServer RCE Attack” related activities | ||||||
| Suricata Coverage | Customers can create custom investigation/detections using the Suricata signatures below: 2055805 -> ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M1 (CVE-2024-36401) 2055808 -> ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M2 (CVE-2024-36401) 2055809 -> ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M3 (CVE-2024-36401) 2055810 -> ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M4 (CVE-2024-36401) 2055811 -> ET WEB_SPECIFIC_APPS Geoserver Unsafe jxpath Evaluation RCE Attempt M5 (CVE-2024-36401) | ||||||
| Other Fortinet Products | For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to |