CrowdSec
3/10CrowdSec Score

GeoServer JT-JIFFLE - RCE (CVE-2022-24816)

Published on13-04-2022
First seen on23-11-2024
Public ExploitCVSS 10/10Geosolutions-it - JAI-EXT

451Exploiting IPs reported

JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

CrowdSec analysis

CVE-2022-24816 is a critical vulnerability affecting applications utilizing JAI-EXT, notably the GeoServer project, allowing for remote code execution via network-supplied Jiffle scripts that are dynamically compiled and executed.

CrowdSec has been tracking this vulnerability and its exploits since 10th of March 2025.

According to CrowdSec data, while opportunistic exploitation dominates, a portion of threat actors trying to exploit CVE-2022-24816 apply basic targeting methods such as port or service detection. This indicates emerging patterns of selective targeting. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2022-24816. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Exploitation attempts are primarily directed at URLs containing /geoserver/wms.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Common Weakness Enumeration (CWE)

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.

References