top of page
perceptive_background_267k.jpg

CISA orders feds to patch actively exploited Geoserver flaw

Published:

12 december 2025 om 09:48:31

Alert date:

12 december 2025 om 10:01:42

Source:

bleepingcomputer.com

Click to open the original link from this advisory

CISA has issued an emergency directive ordering U.S. federal agencies to immediately patch a critical GeoServer vulnerability that is being actively exploited in XML External Entity (XXE) injection attacks. The vulnerability allows attackers to conduct XXE attacks against GeoServer instances. Federal agencies must apply patches or take mitigation measures to protect their systems from ongoing exploitation attempts targeting this critical flaw in the popular open-source server software.

Technical details

CVE-2025-58360 is an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions. The vulnerability occurs when XML input containing external entity references is processed by weakly configured XML parsers through the /geoserver/wms operation GetMap endpoint. The input is not sufficiently sanitized or restricted, allowing attackers to define external entities within XML requests. This can lead to denial-of-service attacks, access to confidential data, Server-Side Request Forgery (SSRF) to interact with internal systems, and retrieval of arbitrary files from vulnerable servers.

Mitigation steps:

Federal agencies must patch by January 1st, 2026 per BOD 22-01. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. Network defenders should prioritize patching this vulnerability as soon as possible even if not subject to federal requirements.

Affected products:

GeoServer 2.26.1 and prior versions
OSGeo GeoServer
GeoTools

Related links:

https://nvd.nist.gov/vuln/detail/cve-2025-58360
https://osgeo-org.atlassian.net/browse/GEOS-11922
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=geoserver%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://www.shodan.io/search?query=title%3A%22GeoServer%3A+Welcome%22
https://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-58360
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=GeoServer
http://nvd.nist.gov/vuln/detail/cve-2022-24816
http://nvd.nist.gov/vuln/detail/cve-2024-36401

Related CVE's:

Related threat actors:

IOC's:

2,451 IP addresses with GeoServer fingerprints tracked by Shadowserver, Over 14,000 GeoServer instances exposed online according to Shodan, Endpoint: /geoserver/wms operation GetMap

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page