SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Recent GeoServer Vulnerability Exploited in Attacks

Because user input is not sufficiently sanitized, attackers could exploit the flaw to define external entities within an XML request.
CISA KEV

The US cybersecurity agency CISA on Thursday warned that threat actors have been exploiting a recent OSGeo GeoServer vulnerability in attacks.

Tracked as CVE-2025-58360 (CVSS score of 9.8), the critical-severity bug is described as an XML External Entity (XXE) issue that could allow attackers to access arbitrary files, conduct SSRF attacks, or cause denial-of-service (DoS) conditions.

“The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request,” GeoServer’s maintainers said last month.

Patches for the security defect were included in GeoServer version 2.28.1, which was announced on November 25. The update also addressed a medium-severity XSS vulnerability in the application (tracked as CVE-2025-21621).

Packages impacted by the issue include docker.osgeo.org/geoserver, org.geoserver.web:gs-web-app (Maven), and org.geoserver:gs-wms (Maven), which should be updated to versions 2.25.6, 2.26.3, or 2.27.0.

On Thursday, CISA added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) list, without providing details on the observed in-the-wild exploitation.

Advertisement. Scroll to continue reading.

However, based on advisories from cybersecurity firm Wiz and the Canadian Cyber Centre, an exploit for the bug has existed since late November.

Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify and patch vulnerable GeoServer instances within their environments.

It’s worth noting that CVE-2025-58360 is the third exploited GeoServer vulnerability documented by CISA this year. In June, it warned of CVE-2022-24816’s exploitation and in July it warned that CVE-2024-36401 had been targeted in attacks.

In September, CISA revealed that, four days before its July alert, a threat actor exploited the year-old GeoServer defect to compromise a federal agency.

Related: Unpatched Gogs Zero-Day Exploited for Months

Related: Google Patches Mysterious Chrome Zero-Day Exploited in the Wild

Related: Microsoft Patches 57 Vulnerabilities, Three Zero-Days

Related: Android Zero-Days Patched in December 2025 Security Update

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.