Vulnerability Management, Governance, Risk and Compliance, Government security, Patch/Configuration Management

December 12, 2025

(Adobe Stock)

The Cybersecurity and Infrastructure Security Agency (CISA) on Dec. 11 advised federal agencies to patch an actively exploited high-severity GeoServer vulnerability.

This GeoServer flaw — CVE-2025-58360 — which runs as an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions, was also added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Shodan reported more than 14,000 instances exposed online, while Shadowserver tracked more than 2,400 IP addresses with GeoServer fingerprints.

GeoServer has many applications for sharing geospatial data over the internet that attackers can exploit to retrieve arbitrary files from vulnerable servers.

Certis Foster, senior threat hunter least at Deepwatch, said he’s concerned that GeoServer has become a strategic intelligence-collection platform for nation-state adversaries, not just another vulnerability to patch.

Foster said APT groups such as Earth Baxia have systematically targeted the Philippine military, Japanese military, Taiwanese government agencies, and breached a U.S. federal agency just 11 days after patches were available, with activity going undetected for three weeks. Foster added that GeoServer hosts an intelligence goldmine of U.S. federal agency geospatial data from Energy, Treasury, and Homeland Security, sitting alongside NOAA weather infrastructure and military base locations with documented military access controls.

“Now we’re facing an unauthenticated vulnerability affecting over 14,000 exposed instances, with CISA already detecting active exploitation, and every victim maps directly to strategic competitors, who are collecting exactly what they need for military targeting analysis,” said Foster. “This isn’t companies tracking weather or logistics anymore. To be frank, it’s coordinated infrastructure reconnaissance at scale, and adversaries can extract the digital coordinates of our most critical assets from a single platform.”

Louis Eichenbaum, Federal CTO at ColorTokens, pointed out that federal agencies that manage land, water, and geoscience data work very closely with GeoServer. It often operates alongside ArcGIS, particularly in secure or air-gapped environments, yet still maintains connections back to enterprise ArcGIS systems.

“When vulnerabilities are disclosed in widely deployed platforms like GeoServer, almost no federal agency can realistically patch fast enough,” said Eichenbaum. “Even if they could, by the time a notice is public, the adversary may already be exploiting it. This reality underscores the need to implement foundational zero-trust principles.”

Eichenbaum said zero-trust starts with assuming breach. Agencies must continue to harden the perimeter, but they must apply the same rigor to resilience inside the network.

“Assuming the adversary is already ‘inside’ fundamentally changes how we prioritize protections around our most critical assets,” said Eichenbaum. “By implementing a continuously adapting microsegmentation strategy for breach readiness, agencies can contain the blast radius of a GeoServer compromise — preventing an attacker from moving laterally to higher-value systems such as ArcGIS servers and authoritative geospatial data.”

Related

New PCIe flaws hit Intel, AMD processors

SC StaffDecember 11, 2025

Intel and AMD have confirmed that some of their processors are impacted by a trio of new low-severity PCI Express flaws, tracked as CVE-2025-9612, CVE-2025-9613, and CVE-2025-9614, according to SecurityWeek.

WinRAR bug added to CISA KEV catalog

SC StaffDecember 11, 2025

Ongoing attacks leveraging the high-severity WinRAR path traversal flaw, tracked as CVE-2025-6218, have prompted its inclusion in the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list, reports The Hacker News.