On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a critical vulnerability found in OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, following reports of its active exploitation. This serious security flaw is identified as CVE-2025-58360, which carries a CVSS score of 8.2. It is categorized as an unauthenticated XML External Entity (XXE) vulnerability and affects all versions prior to 2.25.6, alongside the 2.26.0 and 2.26.1 versions.
The vulnerability has been remedied in subsequent versions, including 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. Notably, the AI-driven vulnerability detection platform XBOW was recognized for its role in identifying this issue. CISA elaborated on the vulnerability, indicating that it stems from inadequate restrictions on XML external entity references, particularly when XML input is processed through the /geoserver/wms endpoint’s GetMap operation. This could potentially allow an attacker to manipulate external entities within the XML requests.
Affected packages include docker.osgeo.org/geoserver and various Maven components related to GeoServer. The potential consequences of successful exploitation are significant; attackers could gain unauthorized access to files on the server’s file system, execute Server-Side Request Forgery (SSRF) attacks against internal systems, or overload resources leading to a denial-of-service (DoS) scenario, according to an alert from the software’s maintainers published last month.
As of now, specific details regarding the exploitation of this vulnerability in real-world scenarios remain sparse. However, a bulletin issued by the Canadian Centre for Cyber Security on November 28, 2025, confirmed that an exploit for CVE-2025-58360 is actively being utilized. This announcement underscores the urgency for organizations to adopt remedial measures promptly.
Moreover, it is important to highlight that another serious vulnerability in the same software, denoted as CVE-2024-36401, with a CVSS score of 9.8, has seen exploitation by various threat actors over the past year. Consequently, Federal Civilian Executive Branch (FCEB) agencies are urged to implement necessary updates by January 1, 2026, to safeguard their networks against these threats.
This vulnerability emphasizes the necessity for businesses to remain vigilant and proactive in their cybersecurity posture. As organizations integrate more technologies into their operations, understanding and mitigating these risks becomes imperative. The MITRE ATT&CK framework can serve as a guideline to identify potential tactics and techniques that might have been employed, such as initial access, privilege escalation, and exfiltration techniques, which can ultimately enhance an organization’s defensive strategies against similar threats.