CISA is sounding the alarm over a critical vulnerability in GeoServer that is being actively exploited in the wild, ordering federal agencies to patch immediately.
The flaw, tracked as CVE-2025-58360, is an unauthenticated XML External Entity (XXE) vulnerability affecting GeoServer versions 2.26.1 and earlier. When exploited, the bug lets attackers retrieve arbitrary files from vulnerable servers, allowing data theft, denial-of-service attacks, or server-side request forgery (SSRF) that can expose internal systems.
GeoServer, an open-source platform for publishing and sharing geospatial data, is widely used across civilian, sci…
CISA is sounding the alarm over a critical vulnerability in GeoServer that is being actively exploited in the wild, ordering federal agencies to patch immediately.
The flaw, tracked as CVE-2025-58360, is an unauthenticated XML External Entity (XXE) vulnerability affecting GeoServer versions 2.26.1 and earlier. When exploited, the bug lets attackers retrieve arbitrary files from vulnerable servers, allowing data theft, denial-of-service attacks, or server-side request forgery (SSRF) that can expose internal systems.
GeoServer, an open-source platform for publishing and sharing geospatial data, is widely used across civilian, scientific, and defense-linked federal environments. “GeoServer is widely used across federal agencies that manage land, water, and geoscience data,” said Louis Eichenbaum, federal CTO of ColorTokens, noting that it often runs alongside ArcGIS and remains connected back to enterprise GIS systems, even in otherwise segmented or air-gapped deployments.
CISA added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) catalog this week, citing active exploitation. Advisories from Wiz and the Canadian Centre for Cyber Security indicate that exploit code has circulated since late November, giving attackers a head start before coordinated patching could happen.
An exposed platform with real intelligence value
CVE-2025-58360 (CVSS 9.8 out of 10) stems from GeoServer’s handling of XML input using an insecurely configured XML parser that fails to properly restrict external entity references. A crafted request can force the server to fetch local files or make internal network requests, enabling unauthenticated file disclosure and potential SSRF against systems the GeoServer instance can access.
While XXE bugs are a familiar class of vulnerability, researchers warn that GeoServer’s role inside government environments makes this flaw particularly sensitive. According to Shadowserver, at least 2451 IP addresses with GeoServer fingerprints are currently observable, while Shodan reports more than 14,000 GeoServer instances exposed online.
“What concerns me most about CVE-2025-58360 is that GeoServer has become a strategic intelligence-collection platform for nation-state adversaries,” said Certis Foster, senior threat hunter lead at Deepwatch. “This isn’t companies tracking weather or logistics anymore; this is coordinated infrastructure reconnaissance at scale.”
Foster warned that unauthenticated access through the bug could allow adversaries to extract geospatial intelligence tied directly to energy assets, weather systems, and military locations.
CISA’s alert marks the third GeoServer vulnerability it has flagged as actively exploited in just over a year, following warnings in June 2024 and July 2024 related to earlier flaws. The pattern suggests GeoServer is no longer an incidental target but a recurring one.
Why patching alone may not be enough
While CISA has mandated patching for federal agencies, experts caution that speed is often constrained by operational realities, including asset discovery, dependency mapping, and change-management windows, that can slow even well-resourced teams.
“When vulnerabilities are disclosed in widely deployed platforms like GeoServer, almost no federal agency can realistically patch fast enough,” Eichenbaum noted. “Even if they could, by the time a notice is public, the adversary may already be exploiting it.” That reality reinforces the need for “breach-ready” posture grounded in Zero Trust principles, he added.
Venky Raju, field CTO at ColorTokens, echoed the concern, saying, “open-source developers are quick to respond with fixes, however, enterprises may not be able to patch servers due to internal challenges.” As an interim measure, he recommended isolating affected GeoServer instances using microsegmentation controls to restrict lateral movement, while still maintaining mission operations.
While the CISA notice applied to Federal Civilian Executive Branch (FCEB) agencies, directing them to patch before December 26, 2025, it “strongly urged” all organizations to timely remediate the issue.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.