CISA this week offered a rare window into a real-world breach at a U.S. federal civilian agency. Delays in patching, unexercised incident response plans, and inadequate monitoring of EDR alerts were the three critical gaps that allowed the intrusion, the agency said.
CISA said, the incident began when endpoint detection and response (EDR) alerts surfaced in early July 2024, but were only observed a month later in August. During forensic analysis, the agency determined the threat actors had first gained access by exploiting CVE-2024-36401, a remote code execution vulnerability affecting GeoServer.
It was technically an XPath expression injection vulnerability that stemmed from the way GeoServer handles XPath expressions. Specifically, when GeoServer interacts with the GeoTools library API, it passes element type attribute names insecurely to the commons-jxpath library. This mishandling allowed malicious actors to inject crafted XPath expressions that could execute arbitrary code on the affected server.
Also read: GeoServer and GeoTools Address XPath Expression Injection Vulnerabilities
The breach stretched over three weeks before detection, during which attackers pivoted across systems, deployed web shells, and leveraged living-off-the-land tools.
On July 11, 2024, the adversaries exploited the first GeoServer and by July 24 used the same flaw to breach a second GeoServer. They then moved laterally from web infrastructure into SQL servers. In each environment, they dropped web shells (e.g., China Chopper), uploaded custom scripts for persistence and privilege escalation, and used tools such as Stowaway to establish encrypted proxy channels.
Their tactics included cron jobs for persistence, abuse of valid accounts, and disabling or bypassing protections on public-facing servers. In some cases, endpoint protection was completely absent. Their reconnaissance included scanning via fscan, ping sweeps, and internal enumeration of hosts and services.
CISA also mapped the attacker’s tradecraft to the MITRE ATT&CK framework. They used techniques such as Exploit Public-Facing Applications (T1190), Command and Scripting (PowerShell, T1059), Proxy (Stowaway, T1090), Defense Evasion via web shells and BITS jobs (T1202, T1197), and Brute Force credential attacks (T1110) for lateral movement.
The agency’s investigation also revealed three failures that cumulatively enabled this campaign. First, the agency delayed remediating known vulnerabilities. CVE-2024-36401 had been publicly disclosed 11 days before the first exploitation and 25 days before the second.
Second, the agency’s incident response plan (IRP) was untested, lacked protocols for third-party collaboration, and prevented rapid deployment of external tools. That delay affected CISA’s ability to respond efficiently.
Third, and perhaps most crucial, EDR alerts were not actively reviewed and crucial systems lacked endpoint defenses. The threat actors remained undetected for three weeks because alerts on the first GeoServer went unnoticed and the web server had no endpoint coverage.
CISA in its advisory asked organizations to effectively strengthen three domains: Prevent, Prepare, Detect/Respond. Under Prevent, they advise aggressive patching of public-facing systems—especially known exploited vulnerabilities in CISA’s KEV (Known Exploited Vulnerabilities) catalog. Under Prepare, the agency urges maintaining and regularly exercising IRPs, and building robust logging systems that aggregate logs off-site. Under Detect/Respond, CISA calls for continuous review of alerts, deploying endpoint protections on all public-facing systems, and implementing behaviors-based anomaly detection.
By making this advisory public, CISA effectively exposed not just one agency’s weakness, but systemic risks many organizations face; Complacency in patch management, brittle incident planning, and alert overload or blind spots in security operations.
