An urgent warning about a critical security flaw in OSGeo GeoServer, a widely used open-source geographic data-sharing server.
CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively leveraging this zero-day flaw in attacks targeting both public and private sectors.
The newly disclosed vulnerability, tracked as CVE-2025-58360, is classified as an Improper Restriction of XML External Entity (XXE) Reference.
This security gap exists within the application’s handling of XML input. Specifically involving the /geoserver/wms endpoint during GetMap operations.
| Field | Details |
|---|---|
| CVE ID | CVE-2025-58360 |
| Name | OSGeo GeoServer XXE Vulnerability |
| Description | XML input in /geoserver/wms GetMap is not properly restricted, allowing external XML entities. |
| Related CWE | CWE-611 |
| Action | Apply vendor fixes, follow BOD 22-01 for cloud services, or stop using the product. |
Security researchers have determined that the software fails to restrict external entities in XML requests properly.
By exploiting this weakness, remote attackers can define malicious external entities in their requests. Successful exploitation could allow unauthorized actors to view files on the server.
Interact with backend or external systems (Server-Side Request Forgery), or cause denial-of-service conditions.
The confirmation of active exploitation prompted CISA to intervene, requiring federal civilian executive branch (FCEB) agencies to immediately secure their systems.
In accordance with Binding Operational Directive (BOD) 22-01, CISA has mandated that all FCEB agencies must identify and mitigate this vulnerability by January 1, 2026.
While the mandate applies only to federal agencies, CISA strongly urges all organizations that use OSGeo GeoServer to prioritize this update.
The short remediation window reflects the severity of the threat and the active nature of current campaigns. Administrators are advised to apply the relevant vendor mitigations immediately.
If patches are not yet available for specific configurations, organizations should follow CISA’s guidance for cloud services. Consider temporarily discontinuing the use of the affected product until it can be secured.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
