The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting OSGeo GeoServer to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation in the wild.
The vulnerability in question is CVE-2025-58360 (CVSS score: 8.2), an unauthenticated XML External Entity (XXE) flaw that affects all versions prior to and including 2.25.5, and from versions 2.26.0 through 2.26.1. It has been patched in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. Artificial intelligence (AI)-powered vulnerability discovery platform XBOW has been acknowledged for reporting the issue.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request,” CISA said.
The following packages are affected by the flaw –
- docker.osgeo.org/geoserver
- org.geoserver.web:gs-web-app (Maven)
- org.geoserver:gs-wms (Maven)
Successful exploitation of the vulnerability could allow an attacker to access arbitrary files from the server’s file system, conduct Server-Side Request Forgery (SSRF) to interact with internal systems, or launch a denial-of-service (DoS) attack by exhausting resources, the maintainers of the open-source software said in an alert published late last month.
There are currently no details available on how the security defect is being abused in real-world attacks. However, a bulletin from the Canadian Centre for Cyber Security on November 28, 2025, said “an exploit for CVE-2025-58360 exists in the wild.”
It’s worth noting that another critical flaw in the same software (CVE-2024-36401, CVSS score: 9.8) has been exploited by multiple threat actors over the past year. Federal Civilian Executive Branch (FCEB) agencies are advised to apply the required fixes by January 1, 2026, to secure their networks.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
ThreatsDay Bulletin: Spyware Alerts, Mirai Strikes, Docker Leaks, ValleyRAT Rootkit — and 20 More Stories