CISA KEV Alert: GeoServer XXE Flaw Under Active Attack Risks Data Theft & Internal Network Scanning

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting the widely used OSGeo GeoServer software to its Known Exploited Vulnerabilities (KEV) Catalog. The flaw, tracked as CVE-2025-58360, is an XML External Entity (XXE) vulnerability that attackers are actively exploiting to breach networks and steal sensitive data.

The vulnerability lies within GeoServer’s handling of XML input. Specifically, the application fails to properly sanitize input sent to the /geoserver/wms endpoint during GetMap operations.

According to the advisory, “This input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request”.

This oversight creates a dangerous opening. By crafting a malicious XML request, an attacker can trick the server’s XML parser into processing external references. This can lead to a cascade of security failures:

• Data Theft: Attackers can “read arbitrary files from the server’s file system,” potentially exposing configuration files, passwords, or other confidential data.
• Internal Scanning: The flaw allows for Server-Side Request Forgery (SSRF), enabling attackers to “interact with internal systems” that are otherwise hidden behind firewalls.
• Service Disruption: Attackers can execute Denial of Service (DoS) attacks by exhausting server resources.

Given the active exploitation of this flaw, CISA has set a strict remediation timeline. Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by January 1, 2026, to protect federal networks.

The maintainers of GeoServer have released updates to address the issue. Administrators are urged to upgrade to GeoServer 2.25.6, 2.26.3, or 2.27.0 immediately.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned.

Related Posts:

• High-Severity GeoServer Flaw (CVE-2025-58360) Allows Unauthenticated XXE for File Theft and SSRF
• CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign
• Ongoing Attacks Exploit GeoServer RCE Flaw (CVE-2024-36401) to Install NetCat and XMRig CoinMiner
• CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog