Secure Cyber Vulnerability Management

16/12/2025
Qualys-Threat-Protect

CISA Warns Actively Exploited GeoServer Unauthenticated XML XXE Vulnerability (CVE-2025-58360)

by Deepanshu Jha

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OSGeo GeoServer vulnerability to its Known Exploited Vulnerabilities Catalog, acknowledging the active exploitation of the vulnerability. Tracked as CVE-2025-58360, the vulnerability has a high severity rating with a CVSS score of 8.2. Successful exploitation of the vulnerability may allow an attacker to retrieve arbitrary files from the server’s file system.

GeoServer is an open-source server software written in Java for sharing, processing, and editing geospatial data. It enables interoperability by publishing data from various spatial sources using open standards from the Open Geospatial Consortium (OGC).

Vulnerability Details

GeoServer accepts XML input through the endpoint /geoserver/wms, using the operation GetMap. This input is not sufficiently sanitized or restricted, which may allow an attacker to define external entities within the XML request.

An XML External Entity attack is a type of attack that occurs when a weakly configured XML parser processes XML input containing a reference to an external entity. This attack may allow an attacker to disclose confidential data, cause denial of service, perform port scanning from the perspective of the machine where the parser is located, and have other system impacts.

Upon successful exploitation of the vulnerability, an attacker can perform the following:

  • Read arbitrary files from the server’s file system.
  • Conduct Server-Side Request Forgery (SSRF) to interact with internal systems.
  • Execute Denial of Service (DoS) attacks by exhausting resources.

Affected versions

  • Geoserver versions 2.26.0 before 2.26.2
  • GeoServer Versions 2.25.0 before 2.25.6

Mitigation

Users must upgrade to GeoServer versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1 to patch the vulnerabilities.

For more information, please refer to the GeoServer Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 733470 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525
https://geoserver.org/announcements/vulnerability/2025/01/27/geoserver-2-26-2-released.html
https://geoserver.org/announcements/vulnerability/2025/04/03/geoserver-2-27-0-released.html
https://geoserver.org/announcements/vulnerability/2025/10/14/geoserver-2-28-0-released.html
https://geoserver.org/announcements/vulnerability/2025/11/25/geoserver-2-28-1-released.html

Comments are closed.

You may also like