GeoServer CVE-2025-58360 Added to CISA KEV Due to Active Exploitation
CISA has added CVE-2025-58360, a critical XML External Entity (XXE) vulnerability in OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of active exploitation. This vulnerability affects the Web Map Service (WMS) GetMap operation, allowing unauthenticated attackers to exploit improperly restricted XML entity references, potentially leading to file disclosure, server-side request forgery (SSRF), and denial-of-service conditions. The flaw impacts multiple 2.25.x and 2.26.x versions of GeoServer, with patches available in later releases such as 2.25.6 and 2.26.2/2.26.3, and has been integrated into public exploit tools and security scanners, increasing the risk of widespread exploitation.
CISA’s inclusion of this vulnerability in the KEV catalog mandates federal agencies to remediate affected systems within a set timeframe, underscoring the urgency for all organizations to prioritize patching or isolating vulnerable GeoServer instances. The vulnerability is particularly concerning due to GeoServer’s role in managing geospatial data for critical infrastructure, government, and enterprise GIS deployments, making exploitation a significant risk for data exposure and internal network compromise. CISA strongly recommends that all organizations, not just federal agencies, address this vulnerability as part of their vulnerability management practices to mitigate the threat of active cyberattacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate by January 1, 2026
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate CVE-2025-58360 by January 1, 2026. CISA also urged all organizations to prioritize patching or otherwise mitigate exposed GeoServer systems.
CISA adds GeoServer CVE-2025-58360 to the KEV catalog
On December 11, 2025, CISA added CVE-2025-58360 affecting OSGeo GeoServer to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation. The flaw is an XML External Entity issue that can expose files, enable SSRF, and cause denial-of-service.
Canadian Centre for Cyber Security confirms exploit activity in the wild
The Canadian Centre for Cyber Security confirmed that CVE-2025-58360 was being exploited in the wild. This established the flaw as an actively exploited threat rather than a purely theoretical issue.
GeoServer releases fixes for CVE-2025-58360 in supported versions
OSGeo GeoServer addressed CVE-2025-58360, an XXE flaw in the WMS GetMap operation, in patched releases including 2.25.6, 2.26.2/2.26.3, and later versions such as 2.27.0. The fixes closed a vulnerability that could enable file disclosure, SSRF, and denial-of-service.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
GeoServer CVE-2025-58360 added to CISA KEV
thecyberthrone.in
Open sourceCISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog
thehackernews.com
Open sourceCISA Warns of OSGeo GeoServer 0-Day Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCISA orders feds to patch actively exploited Geoserver flaw
bleepingcomputer.com
Open sourceU.S. CISA adds an OSGeo GeoServer flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
XXE Flaws in GeoServer WFS and Apache CXF Expose Servers to SSRF and Data Leakage
GeoServer and Apache CXF disclosed separate XML External Entity vulnerabilities that could let attackers abuse unsafe XML parsing to access sensitive resources. In GeoServer, **CVE-2025-30220** affects the Web Feature Service (`WFS`) through the GeoTools library, where in-memory XSD schema processing does not enforce GeoServer’s `ENTITY_RESOLUTION_ALLOWLIST` restriction. The flaw can enable **information disclosure** and **server-side request forgery (SSRF)** via malicious XML containing external entities or DTDs, with affected GeoServer versions including `2.27.0`, `2.26.0` through `2.26.2`, and versions up to `2.25.6`. Apache also disclosed **CVE-2026-44618**, an important-severity XXE flaw in the WS-Transfer functionality of Apache CXF caused by an insecure XML parser configuration. Affected versions include `org.apache.cxf:cxf-rt-ws-transfer` `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` releases before `3.6.11`. Vendors urged organizations to upgrade to fixed releases immediately; where GeoServer patching is delayed, defenders were advised to restrict access to `WFS` endpoints and monitor for suspicious XML requests and outbound activity consistent with SSRF attempts.
May 25, 2026
Critical SQL Injection Vulnerability Patched in Esri ArcGIS Server
Esri has addressed a critical SQL injection vulnerability in its ArcGIS Server product, which received a maximum CVSS score of 10.0, indicating the highest level of severity. The vulnerability affected ArcGIS Server versions 11.3, 11.4, and 11.5, as confirmed by both Esri and the Canadian Centre for Cyber Security. This flaw could allow remote attackers to exploit the system, potentially leading to unauthorized access, data exfiltration, or manipulation of geospatial data managed by organizations using ArcGIS Server. The vulnerability was disclosed publicly on October 6, 2025, and Esri promptly released a security advisory and a dedicated patch to mitigate the risk. The Canadian Cyber Centre issued an alert on October 9, 2025, urging all users and administrators of the affected ArcGIS Server versions to review the official advisories and apply the security updates without delay. The SQL injection vulnerability posed a significant threat to organizations relying on ArcGIS Server for critical mapping, spatial analysis, and geospatial data services. Attackers exploiting this flaw could have executed arbitrary SQL commands against the backend database, potentially compromising the confidentiality, integrity, and availability of sensitive geospatial information. The rapid response from Esri included the release of a Feature Services Security Patch, which is essential for closing the attack vector. Security professionals are advised to verify their ArcGIS Server deployments, ensure that the latest patches are applied, and review system logs for any signs of attempted exploitation. The incident underscores the importance of timely patch management and the need for organizations to monitor vendor advisories for critical vulnerabilities in widely used enterprise software. Esri’s advisories provided detailed guidance on the affected versions and the steps required to remediate the issue. The vulnerability’s critical rating highlights the potential for automated exploitation, making immediate action imperative for all organizations using the impacted versions. The patch not only addresses the specific SQL injection flaw but also reinforces the overall security posture of ArcGIS Server installations. Organizations are encouraged to follow best practices for web application security, including input validation and least privilege access, to further reduce the risk of similar vulnerabilities in the future. The coordinated disclosure and response demonstrate effective collaboration between the vendor and cybersecurity authorities. This incident serves as a reminder for all enterprises to maintain robust vulnerability management processes and to prioritize remediation of critical flaws in core infrastructure platforms.
Mar 21, 2026
CISA Adds Actively Exploited Adobe Commerce and Microsoft WSUS Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-54236, an improper input validation flaw in Adobe Commerce and Magento, and CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Service (WSUS). These vulnerabilities have been confirmed as being exploited in the wild, prompting CISA to require Federal Civilian Executive Branch (FCEB) agencies to remediate them under Binding Operational Directive (BOD) 22-01. CISA also strongly urges all organizations to prioritize patching these vulnerabilities to reduce exposure to cyberattacks. Security researchers have observed widespread exploitation of the Adobe Commerce vulnerability, dubbed "SessionReaper," with over 250 attacks detected in a 24-hour period targeting e-commerce sites via the REST API. Attackers have used this flaw to hijack customer accounts and deploy PHP webshells, while only 38% of affected stores have reportedly applied the available emergency patch. The Microsoft WSUS vulnerability allows unauthorized remote code execution via network exploitation, further increasing the risk to unpatched systems. Both vulnerabilities are considered critical, with public exploit details available, underscoring the urgency for immediate remediation.
Mar 21, 2026