CVE-2025-58360 – Critical GeoServer WMS Vulnerability Actively Exploited in the Wild

Aegiron 11 mins0

Vulnerability Name: GeoServer WMS XML External Entity (XXE) Vulnerability
CVE ID: CVE-2025-58360
Severity: Critical
CVSS Score: 8.2 – 9.8 (Critical)
Status: Actively exploited in the wild

Overview

There is a critical security vulnerability in GeoServer that is being actively exploited right now. This is not a low-risk bug or something attackers might use in the future. Security teams have already confirmed real attacks using this exact flaw.

On December 14, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. CISA only adds issues to this list when there is clear evidence that attackers are already using them against real systems.

As a result, U.S. federal agencies have been instructed to patch immediately, with a mandated remediation deadline of January 1, 2026. While that deadline applies to government systems, private organizations should treat this as urgent and act now.

If you run GeoServer to publish maps, spatial data, or GIS services — especially if it is reachable from the internet — your system is at real risk today.

What Exactly Is the Vulnerability?

This issue is tracked as CVE-2025-58360 and affects GeoServer’s Web Map Service (WMS), specifically the GetMap functionality exposed through the /geoserver/wms endpoint.

At its core, this is an XML External Entity (XXE) vulnerability.

GeoServer processes map requests using XML. Normally, these XML requests simply describe what layers, styles, and projections are needed to generate a map image. The problem is that GeoServer does not properly restrict what that XML is allowed to do.

Because of this, attackers can embed hidden instructions inside a seemingly normal map request — instructions that GeoServer blindly follows.

Vulnerability Explanation

Think of GeoServer like an office clerk whose job is to fetch maps when someone fills out a request form.

A normal request says:

“Please get me this map layer.”

But because of this flaw, an attacker can sneak in extra instructions that say:

“While you’re doing that, also open this file from the server.”
or
“Connect to this internal system and tell me what you find.”

The clerk does not question the request and just does it.

What makes this especially dangerous is that no authentication is required. The attacker does not need a username, password, or any level of access. If they can reach your GeoServer instance over the network, they can attempt the attack.

What Can an Attacker Do With This?

Once exploited, this vulnerability gives attackers several powerful options.

1. Read Sensitive Files From the Server

Attackers can trick GeoServer into reading files that should never be exposed, such as:

  • Configuration files
  • Usernames and passwords
  • API keys and tokens
  • Database connection details
  • Operating system files

This kind of information often leads to full system compromise or access to other services.

2. Use GeoServer to Explore Your Internal Network (SSRF)

This flaw also allows Server-Side Request Forgery (SSRF).

In practical terms, attackers can use your GeoServer as a stepping stone to:

  • Scan internal IP ranges
  • Access internal web services
  • Query cloud metadata endpoints
  • Identify databases or admin panels not exposed to the internet

Because GeoServer is usually trusted by other systems inside your environment, this gives attackers a major advantage.

3. Crash or Overload the Service (Denial of Service)

Attackers can also send malformed or resource-heavy requests that:

  • Consume excessive memory
  • Cause the GeoServer process to hang
  • Crash the service entirely

This can take mapping services offline and disrupt applications or users that depend on them.

Who Is Affected?

You are affected if you are running any of the following GeoServer versions:

Vulnerable Versions

  • GeoServer 2.26.0
  • GeoServer 2.26.1
  • GeoServer 2.25.0 through 2.25.5
  • Any older versions that are no longer supported

If your GeoServer installation has not been updated since late November, it should be assumed vulnerable until confirmed otherwise.

Active Exploitation Confirmed

This issue is being actively abused:

  • Exploit code has been circulating since late November
  • Security researchers have confirmed successful attacks
  • Detection rules and scanning templates are publicly available
  • CISA has officially classified it as “known exploited”

The vulnerability was originally identified by XBOW, an AI-powered security research platform, and the disclosure quickly led to attacker interest.

How to Fix the Problem Properly

The Correct Fix: Upgrade GeoServer

The GeoServer maintainers released patched versions in late November. Upgrading is the only permanent and reliable fix.

Safe Versions

Upgrade to one of the following versions immediately:

  • 2.26.2 or later
  • 2.25.6 or later
  • 2.27.0
  • 2.28.0
  • 2.28.1

Any version below these should be considered exposed.

How to Find Vulnerable GeoServer Instances

Method 1: Check the Version Directly

If you have access to the admin interface:

  • Log into GeoServer
  • Check the footer or the About GeoServer page

You can also check via the REST API:

curl -u admin:password http://SERVER:8080/geoserver/rest/about/version.xml

If the version matches any of the vulnerable releases, action is required immediately.

Method 2: Scan the Network for GeoServer

To locate GeoServer instances across a network:

nmap -p 8080,80,443 --script http-title -sV 192.168.1.0/24 -oG geoserver_scan.txt

Look for:

  • “GeoServer” in page titles
  • Service banners showing GeoServer versions

Method 3: Scan for the Specific Vulnerability

If you perform security testing:

  • Nuclei template: geoserver-wms-sld-xxe.yaml
  • Qualys: QID 733470
  • Tenable/Nessus: Updated web application scan plugins

Only scan systems you own or have permission to test.

Temporary Mitigation Options (If You Cannot Patch Immediately)

If an immediate upgrade is not possible, you must reduce exposure until patching can be completed.

Option 1: Disable WMS (Strongest Short-Term Protection)

Since the vulnerability exists in WMS:

  1. Log into GeoServer Admin
  2. Go to Services → WMS
  3. Uncheck Enable WMS
  4. Save changes

This stops all WMS traffic but leaves WFS and WCS services running.

Option 2: Use a Web Application Firewall (WAF)

If GeoServer is public-facing, apply WAF rules that:

  • Block requests to /geoserver/wms
  • Block XML payloads containing:
    • <!DOCTYPE
    • <!ENTITY
    • SYSTEM
    • PUBLIC

Managed WAF rules are preferred, as attackers often encode payloads to bypass simple filters.

Option 3: Disable External XML Entity Resolution in Java

You can harden the Java runtime itself by adding:

-Djavax.xml.accessExternalDTD=

Apply this in:

  • Tomcat (setenv.sh or setenv.bat)
  • GeoServer startup scripts

Restart GeoServer for the change to take effect.

Option 4: Network Isolation

If GeoServer does not need public access:

  • Restrict access to trusted IPs or VPNs
  • Remove direct internet exposure
  • Block outbound connections from the GeoServer process

This limits file exfiltration and internal scanning.

Final Takeaway

CVE-2025-58360 is a critical, unauthenticated vulnerability in GeoServer that is already being exploited. It allows attackers to steal files, probe internal networks, and disrupt services without logging in.

If you run GeoServer:

  • Check your version immediately
  • Upgrade as soon as possible
  • Isolate or mitigate the system until patched

This is one of those situations where delaying action significantly increases risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.