The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw affecting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog. This move comes in response to evidence of active exploitation in the wild, highlighting the urgent need for organizations to patch their systems. The vulnerability, identified as CVE-2025-58360, is an XML External Entity (XXE) flaw that could allow attackers to access sensitive files or perform other malicious actions.

Key Takeaways

• CISA has added CVE-2025-58360, an XXE vulnerability in OSGeo GeoServer, to its KEV catalog due to active exploitation.

• The flaw affects specific versions of GeoServer and has been patched in later releases.

• Successful exploitation can lead to arbitrary file access, Server-Side Request Forgery (SSRF), and denial-of-service (DoS) attacks.

• Federal agencies are mandated to apply fixes by January 1, 2026.

Vulnerability Details

The vulnerability, CVE-2025-58360, carries a CVSS score of 8.2 and impacts all GeoServer versions prior to and including 2.25.5, as well as versions 2.26.0 through 2.26.1. Patches are available in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. The issue arises from an improper restriction of XML external entity references when the application accepts XML input through the operation's endpoint. This allows attackers to embed external entities within XML requests.

Affected packages include:

• docker.osgeo.org/geoserver

• org.geoserver.web:gs-web-app (Maven)

• org.geoserver:gs-wms (Maven)

Potential Impact

Exploitation of this XXE vulnerability can have severe consequences. Attackers could potentially:

• Access arbitrary files from the server's file system.

• Conduct Server-Side Request Forgery (SSRF) to interact with internal systems.

• Launch denial-of-service (DoS) attacks by exhausting server resources.

While specific details on how the vulnerability is being abused in real-world attacks are not yet public, the Canadian Centre for Cyber Security confirmed on November 28, 2025, that an exploit exists in the wild.

Remediation and Mandates

CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must apply the necessary fixes by January 1, 2026, to secure their networks against this actively exploited vulnerability. Private organizations are also strongly encouraged to review the KEV catalog and address this and other vulnerabilities within their infrastructure.

This incident follows a previous critical flaw (CVE-2024-36401) in GeoServer, which was also exploited by threat actors and added to the KEV catalog last year, underscoring the ongoing security challenges associated with widely used open-source software.

Sources

• CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog, The Hacker News.

• U.S. CISA adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog, Security Affairs.