**U.S. CISA Adds OSGeo GeoServer Flaw to its Known Exploited Vulnerabilities Catalog**

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2025-58360 with a CVSS score of 8.2, is a critical XML External Entity (XXE) issue that allows attackers to access internal files or trigger server-side requests.

GeoServer is an open-source server used for sharing and editing geospatial data. The vulnerability was identified in versions 2.26.0-2.26.1 and v2.25.x before 2.25.6. The issue arises from the fact that XML input is not properly sanitized, allowing attackers to embed external entities in requests.

The advisory from OSGeo states: "GeoServer is an open-source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified." It further explains: "The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request."

It's worth noting that no technical details are available on how CVE-2025-58360 is being exploited in attacks in the wild. However, Canada's Cyber Centre confirmed on November 28, 2025, that an exploit is already active in the wild.

"Open-source reporting indicates that an exploit for CVE-2025-58360 exists in the wild," reads the alert published by the Canadian Centre for Cyber Security. "The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates."

**Timeline of Events**

* September 2025: US CISA reveals that threat actors exploited an unpatched vulnerability in GeoServer to breach a U.S. federal civilian agency's network. * Mid-July 2024: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds the flaw to its Known Exploited Vulnerabilities (KEV) catalog. * July 11, 2024: Attackers gain access to a U.S. FCEB agency's network.

**What You Need to Know**

* The vulnerability is fixed in versions 2.25.6, 2.26.3, and 2.27.0. * CISA orders federal agencies to fix this vulnerability by January 1st, 2026. * Experts recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

**How to Protect Yourself**

* Review the KEV catalog and apply necessary updates. * Ensure all GeoServer versions are up-to-date (v2.25.6 or later). * Implement security measures to detect and prevent XXE attacks.

**Stay Informed**

Follow me on Twitter: @securityaffairs and Facebook and Mastodon (SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog) for the latest updates on cybersecurity threats and vulnerabilities.