The United States Cybersecurity and Infrastructure Security Agency (CISA) has added a new Known Exploited Vulnerability (KEV) and put out a binding operational directive for all Federal Civilian Executive Branch (FCEB) agencies to patch the flaw, a GeoServer vulnerability. The addition of a new KEV means that the agency has seen active exploitation of the vulnerability, warranting the response from CISA. Federal agencies are being singled out due to the role GeoServer plays in many government environments, but the risk extends far beyond the government.
Inside CVE-2025-58360: How the XXE Attack Works
The flaw, tracked as CVE-2025-58360, can enable XML External Entity (XXE) injection, where a poorly configured XML parser receives untrusted input with reference to an external entity. These attacks can open the door for a variety of further malicious actions, including file disclosure, denial of service (DoS), and server-side request forgery (SSRF) attacks. Weak XML parser configurations enable exploitation by allowing bad actors to manipulate input to exploit rules and gain access.
This flaw in particular causes certain GeoServer versions to accept XML input through an endpoint without adequate sanitization or restriction of the input. This can allow attackers to define external entities in their XML requests, enabling further malicious activity, including the retrieval of data and access to sensitive systems.
GeoServer’s Expanding Attack Surface
GeoServer is an open-source server, written in Java, built for users to share and manage geospatial data. It is a widely-deployed tool that prioritizes interoperability, connecting to a variety of virtual globes and online maps, including Google Earth, NASA World Wind, OpenLayers, and Leaflet. While this interconnection is convenient for users, it also amplifies the risks and implications of unauthenticated exploitation.
Geospatial platforms are critical in many areas today, with access and connections to far-reaching systems and data. They are increasingly attractive to attackers due to the many components and capabilities contained within them. This most recent vulnerability is concerning and exists in the context of previously exploited flaws.
Evidence of Active Exploitation
This vulnerability has been actively exploited, as confirmed in advisories from Wiz and the Canadian Centre for Cyber Security, noting that openly available exploit code has been circulating since late November. Tracking data from Shadowserver Foundation shows that at least 2451 IP addresses are observable via the flaw, and Shodan estimates the exposure of over 14,000 GeoServer instances. There is a significant security gap between systems that are exposed due to the vulnerability and environments that have been patched.
A Pattern, Not an Isolated Incident
While the newest GeoServer vulnerability is a major flaw, it is not the first or only one to threaten GeoServer. Other flaws have emerged over the years, including a 2024 remote code execution (RCE) vulnerability and a 2022 code injection vulnerability. This repeated exploitation of various flaws points to systemic weaknesses in GeoServer’s security, highlighting the vulnerability of wide-reaching servers.
The use of open-source software in critical infrastructure is both a strength and a liability, allowing for flexibility and collaborative support while also introducing risks through dependencies and open availability. “The massive adoption of open-source software has significantly increased the attack surface of many enterprises, often without their knowledge,” according to Venky Raju, Field CTO at ColorTokens.
What Security Leaders Should Take Away
Security leaders should take lessons from this GeoServer flaw moving forward. The speed of patching is a critical security control, not just an IT chore. Asset discovery and exposure management are vital parts of protecting systems against this and similar flaws. “Low-profile” platforms like GeoServer often carry outsized risk due to less focus from security experts and users assuming security.
Organizations running open-source infrastructure at scale must ensure security in the modern threat landscape. Insidious threats require more than traditional security measures; taking a zero-trust approach is growing increasingly important. “Zero Trust starts with assuming breach. That does not mean accepting breach,” says Louis Eichenbaum, Federal CTO at ColorTokens. “To be breach-ready, agencies must continue to harden the perimeter, but they must apply the same rigor to resilience inside the network. Assuming the adversary is already ‘inside’ fundamentally changes how you prioritize protections around your most critical assets.”
The Bigger Picture
This vulnerability highlights the tendency for attackers to exploit forgotten or “boring” infrastructure for easy access to systems and data. Geospatial and operational data systems warrant more scrutiny than they are often given by organizations and security experts. The future of vulnerability exploitation may trend toward these underdefended systems, especially those that are widely used by government agencies and other major organizations with highly sensitive operations and access.
