CVE-2025-58360
published 2025-11-25CVE-2025-58360: GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-01-01
Exploited in the wild
EPSS
66.75%
99.2th percentile
GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| geoserver | geoserver | < 2.25.6 | 2.25.6 |
| geoserver | geoserver | — | — |
| geoserver | geoserver | >= 2.26.0 < 2.26.2 | 2.26.2 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)"; flow:established,to_server; http.uri; content:"/wms?"; startswith; content:"service|3d|WMS"; content:"request|3d|GetMap"; fast_pattern; http.content_type; content:"application/xml"; http.request_body; content:"|3c 21|DOCTYPE|20|"; content:"|3c 21|ENTITY|20|"; http.method; content:"POST"; reference:url,helixguard.ai/blog/CVE-2025-58360; reference:cve,2025-58360; classtype:web-application-attack; sid:2065974; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_58360, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
sigma
title: GeoServer WMS GetMap XXE Injection
detection:
selection:
http.method: POST
http.uri|contains: '/wms'
http.uri|contains: 'service=WMS'
http.uri|contains: 'request=GetMap'
http.request_body|contains:
- '<!DOCTYPE'
- '<!ENTITY'
condition: selectionyara
rule CVE_2025_58360_GeoServer_XXE {
meta:
description = "Detects CVE-2025-58360 GeoServer WMS GetMap XXE exploitation attempt"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-58360"
strings:
$uri1 = "/geoserver/wms" ascii
$uri2 = "service=WMS" ascii
$uri3 = "request=GetMap" ascii
$xxe1 = "<!DOCTYPE" ascii
$xxe2 = "<!ENTITY" ascii
$ct = "application/vnd.ogc.sld+xml" ascii
condition:
($uri1 or $uri2) and $uri3 and $xxe1 and $xxe2 and $ct
}- →Look for HTTP POST requests to /geoserver/wms or /wfs with service=WMS&request=GetMap parameters combined with Content-Type: application/vnd.ogc.sld+xml header ↗
- →Detect XML request bodies containing both <!DOCTYPE and <!ENTITY declarations in POST requests to WMS GetMap endpoints — these are the XXE injection markers ↗
- →Alert on HTTP 200 responses from GeoServer WMS endpoints that contain both 'ServiceException' and 'java.io.FileNotFoundException' — this indicates successful XXE file read triggering an error-based data leak ↗
- →Use Shodan/FOFA queries to identify exposed GeoServer instances for asset inventory: Shodan title:"geoserver", favicon hash 97540678, or html containing "/geoserver/" ↗
- →The Metasploit module exploits the vulnerability by injecting an XXE entity in the SLD (Styled Layer Descriptor) body; the file content is returned in the error message when the layer name contains the XXE entity reference ↗
- ·Affected version range is GeoServer >= 2.26.0 and <= 2.26.1, and all versions <= 2.25.5; patched versions are 2.25.6, 2.26.3, and 2.27.0 ↗
- ·The vulnerability is unauthenticated — no credentials are required to exploit it, making all internet-exposed GeoServer instances in the affected version range immediately at risk ↗
- ·CISA KEV remediation deadline for FCEB agencies is 2026-01-01; the flaw is confirmed actively exploited in the wild ↗
- ·Over 14,000 GeoServer instances are exposed online per Shodan; Shadowserver tracks 2,451 IP addresses with GeoServer fingerprints — attack surface is large ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.2HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
ghsa·2025-11-25
CVE-2025-58360 [HIGH] CWE-611 GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
## Description
An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserver/wms`` operation ``GetMap``. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.
An XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.
By exploiting this vulner
OSV
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
osv·2025-11-25
CVE-2025-58360 [HIGH] GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap feature
## Description
An XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint ``/geoserver/wms`` operation ``GetMap``. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.
An XML External Entity attack is a type of attack that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.
By exploiting this vulner
VulnCheck
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
vulncheck·2025·CVSS 8.2
CVE-2025-58360 [HIGH] CWE-611 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.
Affected: OSGeo GeoServer
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-58360&date=2025-12-05; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-58360&date=2025-12-06; https://api
CISA
OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
cisa·2025-12-11·CVSS 9.8
CVE-2025-58360 [CRITICAL] CWE-611 OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
Vulnerability: OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability
Affected: OSGeo GeoServer
OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability affects an open-source component, third-party library, or a protocol used by different products. For more information, please see: https://github.com/geoserver/geoserver/securi
Suricata
ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)
suricata·2025-12-01·CVSS 8.2
CVE-2025-58360 [HIGH] ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)
ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS GeoServer WMS GetMap XML External Entity Injection (CVE-2025-58360)"; flow:established,to_server; http.uri; content:"/wms?"; startswith; content:"service|3d|WMS"; content:"request|3d|GetMap"; fast_pattern; http.content_type; content:"application/xml"; http.request_body; content:"|3c 21|DOCTYPE|20|"; content:"|3c 21|ENTITY|20|"; http.method; content:"POST"; reference:url,helixguard.ai/blog/CVE-2025-58360; reference:cve,2025-58360; classtype:web-application-attack; sid:2065974; rev:1; metadata:affected_product Geoserver, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_58360, deployment Perimeter, deploym
Metasploit
GeoServer WMS GetMap XXE Arbitrary File Read
metasploit
GeoServer WMS GetMap XXE Arbitrary File Read
GeoServer WMS GetMap XXE Arbitrary File Read
This module exploits an XML External Entity (XXE) vulnerability in GeoServer via the WMS GetMap operation. The vulnerability allows reading arbitrary files from the server's file system by injecting an XXE entity in the SLD (Styled Layer Descriptor). Affected versions: - GeoServer >= 2.26.0, <= 2.26.1 - GeoServer <= 2.25.5 The file content is returned in the error message when the layer name contains the XXE entity reference.
Nuclei
GeoServer - XML External Entity Injection
nuclei·CVSS 9.8
CVE-2025-58360 [CRITICAL] GeoServer - XML External Entity Injection
GeoServer - XML External Entity Injection
GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.
Template:
id: CVE-2025-58360
info:
name: GeoServer - XML External Entity Injection
author: lbb,xbow,darses
severity: high
description: |
GeoServer 2.26.0 to 2.26.2 and 2.25.6 contains an XML External Entity (XXE) injection caused by insufficient sanitization of XML input in /geoserver/wms GetMap operation, letting attackers disclose files or cause DoS, exploit requires crafted XML input.
impact: |
Attackers can disclose sensitive files or cause denial of service by exploiting XML external entity
Bleepingcomputer
CISA orders feds to patch actively exploited Geoserver flaw
blogs_bleepingcomputer·2025-12-12·CVSS 8.2
[HIGH] CISA orders feds to patch actively exploited Geoserver flaw
## CISA orders feds to patch actively exploited Geoserver flaw
## Sergiu Gatlan
CISA has ordered U.S. federal agencies to patch a critical GeoServer vulnerability now actively exploited in XML External Entity (XXE) injection attacks.
In such attacks, an XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems.
The security flaw (tracked as CVE-2025-58360 ) flagged by CISA on Thursday is an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions (an open-source server for sharing geospatial data over the Internet) that can be exploited to r
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-11-25
Published
2025-12-11
Added to CISA KEV
Exploited in the wild