InfosecNotes.com

Inside a Breach: CISA’s Lessons from a Incident Response

by · October 15, 2025

Executive Summary
CISA began incident response efforts at a U.S. federal civilian executive branch (FCEB) agency following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response (EDR) tool. CISA identified three lessons learned from the engagement that illuminate how to effectively mitigate risk, prepare for, and respond to incidents:

  1. Vulnerabilities were not promptly remediated,
  2. The agency did not test or exercise their incident response plan (IRP), and
  3. EDR alerts were not continuously reviewed.

Key Actions

  1. Prevent compromise by prioritizing the patching of critical vulnerabilities in public-facing systems and known exploited vulnerabilities.
  2. Prepare for incidents by maintaining, practicing, and updating incident response plans.
  3. Prepare for incidents by implementing comprehensive and verbose logging and aggregate logs in a centralized out-of-band location.

Context

  • Date: September 2025
  • Source: CISA Advisory AA25-266A
  • Focus: CVE-2024-36401 (GeoServer Exploitation)

When the Cybersecurity and Infrastructure Security Agency (CISA) steps in, it’s rarely theoretical.
In this case, a U.S. Federal Civilian Executive Branch (FCEB) agency detected unusual activity through its Endpoint Detection and Response (EDR) tool.

The subsequent investigation revealed a multi-week compromise, lateral movement through public-facing systems, and misuse of open-source tools — all starting from an unpatched GeoServer vulnerability (CVE-2024-36401).

CISA’s post-engagement analysis is more than a report — it’s a blueprint of what every organization should remember to avoid similar compromise.

Incident Timeline:

June 30, 2024CVE-2024-36401 disclosed (GeoServer RCE)
July 11, 2024Attackers exploited first GeoServer
July 15, 2024Vulnerability added to CISA’s KEV Catalog
July 24, 2024Attackers compromised second GeoServer
July 31 – Aug 1, 2024Detected via EDR; CISA engaged
Aug 8 – Sept 3, 2024Full incident response conducted

Attack Analysis

Attackers leveraged:

  • Burp Suite for vulnerability scanning
  • CVE-2024-36401 (Eval Injection) for remote code execution
  • China Chopper & Stowaway tools for persistence and command control
  • Living-off-the-land (LOTL) techniques for stealth

They exploited both unpatched servers and gaps in monitoring — a combination seen repeatedly across public and private sector compromises.

Lessons Learned:

  1. Vulnerabilities were not promptly remediated.
    • The cyber threat actors exploited CVE-2024-36401 for initial access on two GeoServers.
    • The vulnerability was disclosed June 30, 2024, and the cyber threat actors exploited it for initial access to GeoServer 1 on July 11, 2024.
    • The vulnerability was added to CISA’s KEV Catalog on July 15, 2024, and by July 24, 2024, the vulnerability was not patched when the cyber threat actors exploited it for access to GeoServer 2.
    • Note: FCEB agencies are required to remediate vulnerabilities in CISA’s KEV Catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01.
      July 24, 2024, was within the KEV-required patching window for this CVE. However, CISA encourages FCEB agencies and critical infrastructure organizations to address KEV catalog vulnerabilities immediately as part of their vulnerability management plan.
  2. The agency did not test or exercise their IRP, nor did their IRP enable them to promptly engage third parties and grant third parties’ access to necessary resources.
    • On Aug. 1, 2024, upon discovering the endpoint alerts, the agency conducted remote triage of affected systems and used their EDR tool to contain the intrusion.
      • After containment, the agency engaged CISA to investigate potential threat actor persistence in their environment.
      • Their IRP did not have procedures for bringing in third parties for assistance, which hampered CISA’s efforts to respond to the incident quickly and efficiently.
        (1) The agency could not provide CISA remote access to their SIEM, hindering analysis.
        (2) The agency had to go through their change control board process before CISA could deploy EDR agents.
        (3) The agency could have proactively identified these roadblocks by testing their IRP, such as via a tabletop exercise.
  3. EDR alerts were not continuously reviewed, and some public-facing systems lacked endpoint protection.
    • The activity remained undetected for three weeks; the agency missed an opportunity to detect this activity on July 15, 2024.
    • The Web Server lacked endpoint protection.

InfoSecNotes Analysis

These findings highlight a truth every security leader knows but rarely acts upon until post-incident:
breaches happen not due to lack of tools, but lack of operational discipline.

  • Patch latency is still the Achilles’ heel of both public and private sector organizations.
  • Unpracticed IRPs create procedural bottlenecks when response time matters most.
  • Alert fatigue without consistent review renders EDR tools ineffective.

Each point is a reminder that cybersecurity strength depends less on the stack, more on the habit.

CISA Recommendations

  • Establish a vulnerability management plan that includes procedures for prioritization and emergency patching.
  • Maintain, practice, and update cybersecurity IRPs.
  • Implement comprehensive (i.e., large coverage) and verbose (i.e., detailed) logging and aggregate logs in an out-of-band, centralized location.
  • Require phishing-resistant MFA for access to all privileged accounts and email service accounts.
  • Implement allow listing for applications, scripts, and network traffic to prevent unauthorized execution and access.

Final Note — The InfoSec Note

Every engagement leaves a lesson; every lesson leaves a note worth remembering.
In this case, three notes stand out:

  • Patch fast.
  • Practice your plan.
  • Monitor continuously.

Because resilience isn’t built in the heat of an incident — it’s built in the repetition of preparation.

Read full source: CISA Advisory AA25-266A

Reference: CVE-2024-36401, GeoServer Eval Injection

Tags: