The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in OSGeo GeoServer, a widely used open-source geospatial server platform. The flaw, tracked as CVE-2025-58360, enables unauthenticated attackers to read arbitrary files, conduct server-side request forgery (SSRF), or trigger denial-of-service conditions. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring rapid remediation across federal environments.

GeoServer is commonly deployed to publish, share, and edit geospatial data using open standards. It is used across government agencies, utilities, mapping services, and private-sector organizations that rely on spatial data services.

Due to its exposure on public-facing networks and its role in critical infrastructure and government systems, GeoServer vulnerabilities have become a recurring target for attackers. CVE-2025-58360 is now the third GeoServer vulnerability this year confirmed to be exploited in real-world attacks.

CISA disclosed on Thursday that threat actors are actively exploiting CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in GeoServer’s Web Map Service (WMS) GetMap endpoint.

The flaw was patched by GeoServer maintainers in late November, but evidence suggests exploit code has been circulating since shortly after disclosure. While CISA did not publish technical exploitation details, multiple security organizations have confirmed exploitation activity dating back to November.

Under Binding Operational Directive 22-01, U.S. federal agencies have three weeks to identify and remediate vulnerable GeoServer instances.

CVE-2025-58360 stems from improper handling of XML input passed to the /geoserver/wms GetMap operation.

Because external entity definitions are not sufficiently restricted, attackers can craft malicious XML payloads that cause GeoServer to:

Affected packages include Docker images and Maven artifacts tied to GeoServer’s WMS components. Secure versions include 2.25.6, 2.26.3, and 2.27.0, with GeoServer 2.28.1 providing the primary upstream fix.

Successful exploitation can expose sensitive configuration files, credentials, and internal network services. In government and infrastructure environments, this could lead to lateral movement, data exfiltration, or broader system compromise.

CISA has previously documented real-world compromises stemming from unpatched GeoServer flaws, including an incident in which a federal agency was breached through a year-old vulnerability.

This incident reinforces a recurring pattern: widely deployed open-source infrastructure tools are increasingly targeted shortly after vulnerability disclosure. Organizations that delay patching—even by weeks—face a significantly elevated risk of compromise.

The repeated exploitation of GeoServer also highlights the importance of continuous asset visibility and rapid patch workflows for externally exposed services.

Security agencies and researchers emphasize that XXE vulnerabilities remain highly effective due to their versatility and low exploitation barrier.

CISA’s inclusion of CVE-2025-58360 in the KEV catalog signals high confidence in active exploitation and underscores the urgency of remediation.