The US cybersecurity company CISA on Thursday warned that menace actors have been exploiting a current OSGeo GeoServer vulnerability in assaults.
Tracked as CVE-2025-58360 (CVSS rating of 9.8), the critical-severity bug is described as an XML Exterior Entity (XXE) challenge that would enable attackers to entry arbitrary information, conduct SSRF assaults, or trigger denial-of-service (DoS) situations.
“The appliance accepts XML enter via a particular endpoint /geoserver/wms operation GetMap. Nonetheless, this enter just isn’t sufficiently sanitized or restricted, permitting an attacker to outline exterior entities throughout the XML request,” GeoServer’s maintainers stated final month.
Patches for the safety defect had been included in GeoServer model 2.28.1, which was introduced on November 25. The replace additionally addressed a medium-severity XSS vulnerability within the software (tracked as CVE-2025-21621).
Packages impacted by the difficulty embody docker.osgeo.org/geoserver, org.geoserver.internet:gs-web-app (Maven), and org.geoserver:gs-wms (Maven), which ought to be up to date to variations 2.25.6, 2.26.3, or 2.27.0.
On Thursday, CISA added CVE-2025-58360 to its Recognized Exploited Vulnerabilities (KEV) record, with out offering particulars on the noticed in-the-wild exploitation.
Nonetheless, primarily based on advisories from cybersecurity agency Wiz and the Canadian Cyber Centre, an exploit for the bug has existed since late November.
Per Binding Operational Directive (BOD) 22-01, federal companies have three weeks to establish and patch weak GeoServer situations inside their environments.Commercial. Scroll to proceed studying.
It’s price noting that CVE-2025-58360 is the third exploited GeoServer vulnerability documented by CISA this yr. In June, it warned of CVE-2022-24816’s exploitation and in July it warned that CVE-2024-36401 had been focused in assaults.
In September, CISA revealed that, 4 days earlier than its July alert, a menace actor exploited the year-old GeoServer defect to compromise a federal company.
Associated: Unpatched Gogs Zero-Day Exploited for Months
Associated: Google Patches Mysterious Chrome Zero-Day Exploited within the Wild
Associated: Microsoft Patches 57 Vulnerabilities, Three Zero-Days
Associated: Android Zero-Days Patched in December 2025 Safety Replace
