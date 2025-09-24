BleepingComputer reports that one U.S. federal agency was confirmed by the Cybersecurity and Infrastructure Security Agency to have been breached following a July 2024 attack targeting a GeoServer instance impacted by the critical remote code execution flaw, tracked as CVE-2024-36401.

Infiltration of the federal agency's GeoServer instance two days after initial intrusions involving the exploit was followed by another server hack almost two weeks later, with threat actors laterally moving to a web server and an SQL server that had been infected with China Chopper and other web shells, as well as other remote access, command execution, privilege escalation, and persistence scripts, according to CISA.

Subsequent brute-force attacks aimed at acquiring credentials continued to be undetected before the agency's endpoint detection and response tool noted a suspected malware compromise by the end of the month.