CISA Alerts on Active Exploitation of GeoServer XXE Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security vulnerability affecting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
Identified as CVE-2025-58360 with a CVSS score of 8.2, this unauthenticated XML External Entity (XXE) flaw impacts all GeoServer versions up to and including 2.25.5, as well as versions 2.26.0 through 2.26.1. The vulnerability has been addressed in subsequent releases: 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The AI-driven vulnerability discovery platform XBOW has been credited with reporting this issue.
CISA describes the flaw as an improper restriction of XML external entity references. This vulnerability arises when GeoServer processes XML input through the /geoserver/wms operation GetMap endpoint, potentially allowing attackers to define external entities within the XML request.
The affected packages include:
– docker.osgeo.org/geoserver
– org.geoserver.web:gs-web-app (Maven)
– org.geoserver:gs-wms (Maven)
Exploitation of this vulnerability could enable attackers to access arbitrary files on the server’s filesystem, perform Server-Side Request Forgery (SSRF) to interact with internal systems, or initiate denial-of-service (DoS) attacks by depleting resources. The maintainers of GeoServer highlighted these risks in an alert issued late last month.
While specific details on real-world exploitation methods remain scarce, the Canadian Centre for Cyber Security reported on November 28, 2025, that an exploit for CVE-2025-58360 is present in the wild.
This development follows the exploitation of another critical GeoServer vulnerability, CVE-2024-36401, which had a CVSS score of 9.8 and was actively targeted by multiple threat actors over the past year. In response, Federal Civilian Executive Branch (FCEB) agencies have been advised to implement the necessary patches by January 1, 2026, to safeguard their networks.
