- CISA has added a high-severity vulnerability affecting OSGeo GeoServer to its Known Exploited Vulnerabilities catalog due to active exploitation.
- The flaw, CVE-2025-58360, is an unauthenticated XML External Entity (XXE) vulnerability impacting multiple GeoServer versions.
- The issue allows attackers to access server files, conduct internal network interactions, or cause denial-of-service attacks.
- Patched versions of GeoServer have been released, and federal agencies must apply fixes by January 1, 2026.
- An exploit is confirmed to exist in the wild, with another critical GeoServer flaw previously exploited by threat actors.
On December 11, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) included a significant security vulnerability in OSGeo GeoServer in its Known Exploited Vulnerabilities catalog. This decision followed evidence showing the flaw is actively exploited in real-world attacks.
The vulnerability, identified as CVE-2025-58360 with a CVSS score of 8.2, is an unauthenticated XML External Entity (XXE) issue. XXE flaws allow attackers to manipulate XML input to access unauthorized data or services. It affects all versions prior to and including 2.25.5 and 2.26.0 through 2.26.1. The flaw has been resolved in GeoServer versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1.
According to CISA, the vulnerability arises when the application processes XML requests via the /geoserver/wms GetMap operation. Attackers can define external entities in these XML inputs, which bypasses proper restrictions. This can lead to reading arbitrary files on the server, performing Server-Side Request Forgery (SSRF) to interact with internal systems, or causing denial-of-service (DoS) conditions by consuming resources.
Affected GeoServer packages include docker.osgeo.org/geoserver and Maven packages org.geoserver.web:gs-web-app and org.geoserver:gs-wms. The vulnerability was initially reported by the AI-powered platform XBOW.
A security advisory from the Canadian Centre for Cyber Security on November 28, 2025, stated that an exploit for this vulnerability exists in the wild. While specific attack methods are not detailed, the advisory underscores the urgency of patching affected systems.
Adding to concerns, another critical GeoServer vulnerability (CVE-2024-36401) with a CVSS score of 9.8 has been actively exploited by various threat actors over the past year. Federal Civilian Executive Branch agencies are directed to implement required patches by January 1, 2026, to protect their networks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Terraform Labs Founder Do Kwon Sentenced to 15 Years for Crypto Fraud
- Global Stablecoin Frameworks Expand as Banks Embrace Crypto in 2025
- Bitcoin Miners Poised to Lead Corporate Adoption Amid Treasury Slowdown
- Tesla U.S. Sales Sink 23% in November Despite Cheaper Model Launch
- Do Kwon Sentenced to 15 Years for Terra/Luna Collapse Fraud
