CISA Adds OSGeo GeoServer CVE-2025-58360 to Known Exploited Vulnerabilities List
Executive Summary
In December 2025, CISA added CVE-2025-58360, an Improper Restriction of XML External Entity Reference vulnerability in OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) Catalog after confirming evidence of active exploitation in the wild. The vulnerability allows remote attackers to exploit XML parsing weaknesses to access sensitive data or execute arbitrary code by submitting malicious crafted XML to the GeoServer platform, which is widely used for geospatial data services. Malicious actors leveraging this flaw can bypass security controls, potentially leading to significant data breaches or operational disruption across organizations dependent on GeoServer.
This incident highlights the increasing urgency of remediating software supply chain and core infrastructure vulnerabilities exploited in real-world attacks. The active exploitation of such high-impact flaws is driving regulatory entities and private organizations to re-examine patch management, incident response, and zero trust controls for critical applications.
Why This Matters Now
With active exploitation confirmed, the CVE-2025-58360 GeoServer vulnerability poses an immediate risk to organizations using exposed geospatial data platforms. Attackers exploiting this flaw can compromise sensitive systems, making timely patching and layered zero trust defenses urgent priorities to mitigate growing threats to both federal and private sector environments.
Attack Path Analysis
Attackers exploited CVE-2025-58360 in GeoServer to gain initial access to the cloud environment. Leveraging the foothold, they sought further access by attempting privilege escalation within the compromised workload. Using this access, the adversaries attempted to move laterally across east-west network paths to identify additional resources or sensitive data. Command and control channels were established to maintain persistence and issue instructions remotely. Sensitive data was then exfiltrated, taking advantage of insufficient egress monitoring. Finally, the attackers posed the risk of business disruption or data encryption but were potentially limited by existing network segmentation and detection controls.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited OSGeo GeoServer's XXE vulnerability (CVE-2025-58360) to gain unauthorized access to the cloud workload.
Related CVEs
CVE-2025-58360
CVSS 8.2An XML External Entity (XXE) vulnerability in GeoServer's WMS GetMap operation allows unauthenticated remote attackers to read arbitrary files from the server's file system.
Affected Products:
OSGeo GeoServer – >= 2.26.0, < 2.26.2, < 2.25.6
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
External Remote Services
Command and Scripting Interpreter
User Execution
Exploitation of Remote Services
System Services
Server Software Component
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Web Application Security
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Continuous Vulnerability Detection & Mitigation
Control ID: Vulnerability Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Federal agencies face mandatory KEV vulnerability remediation under BOD 22-01, with GeoServer XML entity exploitation threatening geospatial infrastructure and compliance requirements.
Information Technology/IT
OSGeo GeoServer XXE vulnerability enables XML external entity attacks against geospatial services, requiring immediate patching and zero trust segmentation controls.
Oil/Energy/Solar/Greentech
Geospatial mapping systems critical for energy infrastructure operations vulnerable to XXE exploitation, threatening operational visibility and regulatory compliance frameworks.
Defense/Space
Military geospatial intelligence systems exposed to XML entity reference attacks through GeoServer, compromising mission-critical mapping data and threat detection capabilities.
Sources
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2025/12/11/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- GeoServer is vulnerable to Unauthenticated XML External Entities (XXE) attack via WMS GetMap featurehttps://github.com/advisories/GHSA-fjf5-xgmq-5525Verified
- NVD - CVE-2025-58360https://nvd.nist.gov/vuln/detail/CVE-2025-58360Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, inline threat prevention, and robust egress policy enforcement directly limit each stage of this attack path. Continuous anomaly detection, visibility, and encryption of sensitive flows reduce both dwell time and exfiltration risk.
Control: Cloud Firewall (ACF)
Mitigation: Reduces exposure of vulnerable services from untrusted networks.
Control: Kubernetes Security (AKF)
Mitigation: Limits scope of privilege escalation within containers.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized east-west communication.
Control: Inline IPS (Suricata)
Mitigation: Detects and disrupts known malicious outbound C2 traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Stops unauthorized data exfiltration attempts.
Detects rapid changes or destructive behaviors early.
Impact at a Glance
Affected Business Functions
- Geospatial Data Services
- Mapping Applications
- GIS Platforms
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive geospatial data and internal system information due to unauthorized file access.
Recommended Actions
Key Takeaways & Next Steps
- • Accelerate patching of all known exploited vulnerabilities, with active coverage for internet-facing workloads.
- • Enforce Zero Trust segmentation and least-privilege policies across all east-west and workload-to-workload paths.
- • Deploy robust inline threat prevention (IPS/IDS) on both ingress and egress cloud traffic.
- • Implement granular egress policy controls and FQDN filtering to detect and block data exfiltration attempts.
- • Expand continuous visibility, anomaly detection, and centralized incident response for real-time threat hunting.
