Threat actors are actively exploiting CVE-2024-36401, a remote code execution vulnerability in GeoServer, to deploy cryptocurrency miners. The vulnerability allows unauthenticated attackers to execute arbitrary commands on vulnerable GeoServer instances. Multiple threat actors have been systematically scanning for exposed GeoServer installations since the vulnerability's disclosure in 2024. The exploitation involves deploying coinminer malware on compromised systems. This represents an active campaign targeting organizations running vulnerable GeoServer instances for cryptocurrency mining operations.