U.S. CISA adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OSGeo GeoServer flaw, tracked as CVE-2025-58360 (CVSS Score of 8.2), to its Known Exploited Vulnerabilities (KEV) catalog.

GeoServer is an open-source server that allows users to share and edit geospatial data.

GeoServer (v2.26.0–2.26.1 and v2.25.x before 2.25.6) contained an XML External Entity (XXE) flaw in the /geoserver/wms GetMap endpoint. Because XML input wasn’t properly sanitized, attackers could embed external entities in requests, potentially accessing internal files or triggering server-side requests. The vulnerability is fixed in versions 2.25.6, 2.26.3, and 2.27.0.

“GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified.” reads the advisory. “The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.”

No technical details are yet available on how CVE-2025-58360 is being exploited in attacks in the wild. Canada’s Cyber Centre confirmed on November 28, 2025, that an exploit is already active in the wild.

“Open-source reporting indicates that an exploit for CVE-2025-58360 exists in the wild.” reads the alert published by the Canadian Centre for Cyber Security. “The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by January 1st, 2026.

In September 2025, US CISA revealed that threat actors exploited an unpatched vulnerability in GeoServer to breach a U.S. federal civilian agency’s network.

Threat actors breached a U.S. federal agency via unpatched GeoServer flaw, tracked as CVE-2024-36401 (CVSS score of 9.8), which is a critical remote code execution (RCE) issue.

In mid-July 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

CISA launched incident response at a U.S. FCEB agency after its EDR tool detected potential malicious activity. The attackers gained access to the agency’s network on July 11, 2024.

Once inside the agency’s network, the attackers exploited the same vulnerability to access a second GeoServer and moved laterally to two other servers.

Threat actors moved laterally to a web and SQL server, deploying web shells like China Chopper and scripts for persistence, remote access, and privilege escalation. They also leveraged living-off-the-land techniques to evade detection.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)