cbcvebase.
CVE-2025-58360
published 2025-11-25

CVE-2025-58360: GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-01
Exploited in the wild
EPSS
66.75%
99.2th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Affected

3 ranges
VendorProductVersion rangeFixed in
geoservergeoserver< 2.25.62.25.6
geoservergeoserver
geoservergeoserver>= 2.26.0 < 2.26.22.26.2

Detection & IOCsextracted from sources · hover to see the quote

url/geoserver/wms?service=WMS&request=GetMap
path/geoserver/wms
otherContent-Type: application/vnd.ogc.sld+xml
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)"; flow:established,to_server; http.uri; content:"/wms?"; startswith; content:"service|3d|WMS"; content:"request|3d|GetMap"; fast_pattern; http.content_type; content:"application/xml"; http.request_body; content:"|3c 21|DOCTYPE|20|"; content:"|3c 21|ENTITY|20|"; http.method; content:"POST"; reference:url,helixguard.ai/blog/CVE-2025-58360; reference:cve,2025-58360; classtype:web-application-attack; sid:2065974; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_58360, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
sigma
title: GeoServer WMS GetMap XXE Injection
detection:
  selection:
    http.method: POST
    http.uri|contains: '/wms'
    http.uri|contains: 'service=WMS'
    http.uri|contains: 'request=GetMap'
    http.request_body|contains:
      - '<!DOCTYPE'
      - '<!ENTITY'
  condition: selection
yara
rule CVE_2025_58360_GeoServer_XXE {
  meta:
    description = "Detects CVE-2025-58360 GeoServer WMS GetMap XXE exploitation attempt"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-58360"
  strings:
    $uri1 = "/geoserver/wms" ascii
    $uri2 = "service=WMS" ascii
    $uri3 = "request=GetMap" ascii
    $xxe1 = "<!DOCTYPE" ascii
    $xxe2 = "<!ENTITY" ascii
    $ct = "application/vnd.ogc.sld+xml" ascii
  condition:
    ($uri1 or $uri2) and $uri3 and $xxe1 and $xxe2 and $ct
}
  • Look for HTTP POST requests to /geoserver/wms or /wfs with service=WMS&request=GetMap parameters combined with Content-Type: application/vnd.ogc.sld+xml header
  • Detect XML request bodies containing both <!DOCTYPE and <!ENTITY declarations in POST requests to WMS GetMap endpoints — these are the XXE injection markers
  • Alert on HTTP 200 responses from GeoServer WMS endpoints that contain both 'ServiceException' and 'java.io.FileNotFoundException' — this indicates successful XXE file read triggering an error-based data leak
  • Use Shodan/FOFA queries to identify exposed GeoServer instances for asset inventory: Shodan title:"geoserver", favicon hash 97540678, or html containing "/geoserver/"
  • The Metasploit module exploits the vulnerability by injecting an XXE entity in the SLD (Styled Layer Descriptor) body; the file content is returned in the error message when the layer name contains the XXE entity reference
  • ·Affected version range is GeoServer >= 2.26.0 and <= 2.26.1, and all versions <= 2.25.5; patched versions are 2.25.6, 2.26.3, and 2.27.0
  • ·The vulnerability is unauthenticated — no credentials are required to exploit it, making all internet-exposed GeoServer instances in the affected version range immediately at risk
  • ·CISA KEV remediation deadline for FCEB agencies is 2026-01-01; the flaw is confirmed actively exploited in the wild
  • ·Over 14,000 GeoServer instances are exposed online per Shodan; Shadowserver tracks 2,451 IP addresses with GeoServer fingerprints — attack surface is large

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.