CISA has added a GeoServer vulnerability to its Known Exploited Vulnerabilities (KEV) catalog after evidence it is being used in the wild.
The vulnerability, tracked as CVE-2025-58360, is an unauthenticated XML External Entity (XXE) issue. It can be triggered when GeoServer processes XML input using an insecurely configured XML parser.
The vulnerability affects all GeoSever versions including 2.25.5 and earlier, in addition to versions 2.26.0 and 2.26.1.
If exploited, it can lead to “disclosure of confidential data, denial of service, port scanning … and other system impacts,” GitHub wrote on its advisory database.
The issue was first reported by XBOW, an AI-powered vulnerability discovery platform. The vulnerability was added to CISA’s KEV catalog on December 11, 2025 is rated 9.8 (Critical) by the National Vulnerability Database.
What Is The Impact?
GeoServer is an open-source server used to share geospatial data in a range of formats, including to web browsers and GIS applications. It is commonly used for OGC services such as Web Map Service (WMS), Web Feature Service (WFS), and Web Coverage Service (WCS), as well as tile caching.
While details surrounding exploitation in the wild are scarce, the Canadian Centre for Cyber Security said that an “exploit for CVE-2025-58360 exists in the wild.”
A previous vulnerability affecting GeoServer (CVE-2024-36401) was added to the KEV Catalog in 2024. The CVE had a CVSS Score of 9.8, with multiple reports of exploitation since then.
Expert Insights recommends that all organizations using the affected versions deploy the latest patches, released in GeoServer 2.28.1.
CISA has directed all Federal Civilian Executive Branch (FCEB) agencies to deploy the patch before January 1 2026.
