CISA released a detailed advisory outlining lessons learned from a significant cyber incident at a U.S. federal civilian executive branch agency. The attack stemmed from the exploitation of a known vulnerability (CVE-2024-36401) in publicly accessible GeoServer applications. Threat actors gained access weeks after the vulnerability was disclosed, leveraging tools like Stowaway, Burp Suite, and China Chopper web shells to move laterally across systems and establish persistence. The incident went undetected for three weeks due to unpatched vulnerabilities, unmonitored endpoint detection and response alerts, and gaps in the agency’s incident response plan (IRP). CISA’s key takeaways emphasize the urgent need for prompt patching of known exploited vulnerabilities, regularly testing and updating IRPs (especially procedures for third-party involvement), and ensuring continuous monitoring and centralized logging. The advisory includes technical details on the attackers’ tactics mapped to the MITRE ATT&CK framework, indicators of compromise, and actionable mitigation strategies. CISA urges all organizations, particularly those in critical infrastructure, to apply these lessons to strengthen their cybersecurity posture. For more details, refer to the Lessons Learned Advisory.