CVE ID: CVE-2025-58360

Severity: HIGH | CVSS: 8.2

Sources: 2 different security sources

Let Me Explain What Happened

Let me walk you through something important that's happening right now in the geospatial software world. GeoServer, which is a widely-used open source tool for sharing and editing map data, has a serious security flaw that attackers are actively exploiting in the wild. Think of it like this: imagine if someone could slip a note through your mail slot that not only gets read, but also tricks your house into opening all your filing cabinets and reading their contents back to the attacker. That's essentially what's happening here with something called an XML External Entity (XXE) vulnerability. CISA—the U.S. Cybersecurity and Infrastructure Security Agency—added this to their Known Exploited Vulnerabilities catalog on December 11th, 2025, which is their way of saying "this is serious, and it's happening now."

A Bit More Detail

Here's what's going on under the hood. GeoServer has an endpoint—specifically the /geoserver/wms operation with the GetMap function—that accepts XML input from users. The problem is that this input isn't being properly sanitized or restricted. An attacker can craft a malicious XML request that includes external entity definitions, and the server will process these without proper validation. This allows them to read sensitive files from the server, potentially access internal network resources, and in some cases, cause service disruptions. What makes this particularly concerning is that no authentication is required—the attack vector is network-based, the attack complexity is low, and no user interaction is needed.

The Technical Specifics

• Attack Vector: NETWORK (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
• Affected Products: GeoServer versions 2.26.0 through 2.26.1, and all versions before 2.25.6
• CWE: CWE-611 (Improper Restriction of XML External Entity Reference)
• CVSS Score: 8.2 (High severity according to NVD)
• Impact: High confidentiality impact (attackers can read sensitive data), no integrity impact, and low availability impact (potential for denial of service)
• Authentication Required: None—this is an unauthenticated vulnerability
• Exploitation Status: Active exploitation confirmed by CISA as of December 11th, 2025

Understanding XXE Vulnerabilities

Let me take a moment to explain what an XXE vulnerability really means, because understanding this will help you protect against similar issues in the future. XML (eXtensible Markup Language) is a way of structuring data that's been around for decades. It includes a feature called "external entities" that allows an XML document to reference content from other sources—either other files on the same system or even resources on other systems entirely.

In a properly secured application, these external entity references would be disabled or strictly controlled. But when they're not, an attacker can craft an XML payload that tells the application "go read this file and include its contents in your response to me." This is particularly dangerous because:

• The attacker can read sensitive configuration files (like /etc/passwd on Linux systems)
• They can potentially access cloud metadata services in cloud environments
• They can probe internal network resources that wouldn't normally be accessible from the outside
• In some cases, they can cause the application to consume excessive resources, leading to denial of service

The Timeline of Discovery and Disclosure

Here's how this vulnerability came to light and why you're hearing about it now. The vulnerability was identified in GeoServer and tracked internally as GEOS-11682 in the OSGeo project's issue tracker. The GeoServer security team published a security advisory (GHSA-fjf5-xgmq-5525) on their GitHub repository, and patches were released in versions 2.25.6, 2.26.3, and 2.27.0. The official CVE was published on November 25th, 2025.

What escalated the urgency significantly was CISA's addition of this vulnerability to their Known Exploited Vulnerabilities catalog on December 11th, 2025. When CISA adds something to the KEV catalog, it means they have concrete evidence that attackers are actively exploiting it in the wild. The Hacker News reported on this development on December 12th, helping spread awareness to the broader security community.

What You Should Do About This

Let me walk you through the steps you need to take, starting with the most urgent actions:

• Right Now—Immediate Actions:
  • Identify your exposure: Determine if you're running GeoServer anywhere in your environment. Check versions 2.26.0, 2.26.1, or any version before 2.25.6. Don't forget about development, staging, and test environments—attackers often target these as stepping stones.
  • Assess accessibility: Determine if your GeoServer instances are accessible from the internet. If they are, treat this as a critical priority. Even internal instances should be patched, but internet-facing ones are at immediate risk.
  • Review logs: Look for unusual activity in your GeoServer logs, particularly requests to the /geoserver/wms endpoint with GetMap operations. Look for XML payloads that contain DOCTYPE declarations or ENTITY definitions—these are hallmarks of XXE exploitation attempts.
  • Consider temporary mitigation: If you cannot patch immediately, consider placing the affected GeoServer instances behind a Web Application Firewall (WAF) with rules to block XML payloads containing external entity declarations, or temporarily restrict access to trusted IP addresses only.
• For the Long Term—Permanent Remediation:
  • Patch immediately: Upgrade to GeoServer 2.25.6, 2.26.3, or 2.27.0. These versions contain the fix for this vulnerability. As always, test the upgrade in a non-production environment first, but don't delay deployment to production.
  • Verify the fix: After patching, verify that XML external entity processing is properly disabled. You can do this by attempting a benign XXE test payload in a controlled environment to confirm it's blocked.
  • Review XML processing across your environment: Use this as an opportunity to audit other applications that process XML input. XXE vulnerabilities are common, and this might not be the only place you're exposed.
  • Implement defense in depth: Even after patching, consider implementing additional security controls like network segmentation, principle of least privilege for service accounts, and monitoring for unusual file access patterns.

Detection and Hunting Guidance

If you're a security analyst or incident responder, here's what you should be looking for in your environment:

Log Analysis: Search your web server and application logs for requests to GeoServer's WMS endpoint. Look for patterns like:

POST /geoserver/wms
Content-Type: application/xml

Payloads containing:
- <!DOCTYPE
- <!ENTITY
- SYSTEM "file://
- SYSTEM "http://

Network Monitoring: Watch for unusual outbound connections from your GeoServer instances, particularly to internal metadata services (like 169.254.169.254 in AWS environments) or unexpected external hosts.

File Access Monitoring: If you have file integrity monitoring or audit logging enabled, look for the GeoServer process accessing sensitive files it wouldn't normally read, such as /etc/passwd, /etc/shadow, or application configuration files containing credentials.

Going Deeper: MITRE ATT&CK Mapping

For those of you who map threats to the MITRE ATT&CK framework, this vulnerability and its exploitation would typically involve:

• Initial Access: T1190 - Exploit Public-Facing Application (the XXE vulnerability in the web-accessible GeoServer instance)
• Discovery: T1083 - File and Directory Discovery (using XXE to enumerate and read files on the system)
• Credential Access: T1552.001 - Unsecured Credentials: Credentials In Files (if attackers use XXE to read configuration files containing passwords or API keys)
• Collection: T1005 - Data from Local System (exfiltrating sensitive data through the XXE vulnerability)

Why This Matters to You

Even if you're not running GeoServer yourself, this vulnerability teaches us some important lessons. First, it reminds us that open source software—while incredibly valuable—requires active maintenance and monitoring. The GeoServer team responded responsibly with patches, but those patches only help if they're applied. Second, it highlights the importance of input validation. XML processing, in particular, has a long history of security issues, and any application that accepts XML input needs to be carefully configured to disable dangerous features like external entity processing. Finally, CISA's KEV catalog is an invaluable resource. When they add something to that list, it should trigger immediate action in your organization.

Where I Found This Information

• National Vulnerability Database - CVE-2025-58360 (Authoritative source for CVSS scoring and technical details)
• CISA Alert - Known Exploited Vulnerability Addition (Credibility: 10 - Confirmation of active exploitation)
• The Hacker News - CISA Flags Actively Exploited GeoServer XXE Flaw (Credibility: 7 - Security news coverage)
• GeoServer Security Advisory GHSA-fjf5-xgmq-5525 (Official vendor advisory)
• OSGeo Issue Tracker - GEOS-11682 (Technical issue tracking)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere. The information presented here is current as of December 12th, 2025, and you should always check for the latest updates from the GeoServer project and your security vendors.