CrowdSec
5/10CrowdSec Score

GeoServer JT-JIFFLE - RCE (CVE-2022-24816)

Published on13-04-2022
First seen on23-11-2024

235Exploiting IPs reported

JAI-EXT is an open-source project which aims to extend the Java Advanced Imaging (JAI) API. Programs allowing Jiffle script to be provided via network request can lead to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. Users unable to upgrade may negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath.

CrowdSec analysis

CVE-2022-24816 is a critical vulnerability affecting applications utilizing JAI-EXT, notably the GeoServer project, allowing for remote code execution via network-supplied Jiffle scripts that are dynamically compiled and executed.

CrowdSec has been tracking this vulnerability and its exploits since 10th of March 2025.

Insights from the CrowdSec network reveal that the attackers trying to exploit CVE-2022-24816 are composed of a fairly even mix of opportunistic and targeted actors. Some attackers employ preliminary reconnaissance, while others use indiscriminate scanning. In addition, according to the CrowdSec network, attack volume against CVE-2022-24816 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Exploitation attempts are primarily directed at URLs containing /geoserver/wms.

Exploitation

Get real-time information about exploitation attempts and actors involved.

Detected IPs

Discover the IPs that targeted this vulnerability across the CrowdSec Network.

Protection

Find out relevant information to protect your stack against this CVE.

Blocklist

With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.

To increase your protection against this CVE, block exploitation attempts with this list of identified actors.