CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog

CISA Flags Actively Exploited GeoServer XXE Flaw in Updated KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-58360, a high-severity XML External Entity (XXE) vulnerability in OSGeo GeoServer, to its Known Exploited Vulnerabilities (KEV) catalog. This action follows reports of active exploitation in the wild, with a CVSS score of 8.2.

Ideal security models assume prompt patching, but real-world deployments often lag, creating windows of opportunity for attackers. Unpatched vulnerabilities like this XXE flaw can lead to data breaches, SSRF attacks, and denial-of-service, resulting in significant financial and reputational damage – potentially millions in remediation costs.

Key Insights

• CVE-2025-58360 affects GeoServer versions prior to 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1: CISA KEV Catalog, 2025-12-12
• XXE vulnerabilities allow attackers to inject malicious XML code, potentially accessing sensitive files: OWASP, 2024
• CISA’s KEV catalog prioritizes vulnerabilities with known exploits, requiring federal agencies to address them quickly: CISA, 2023

Practical Applications

• Use Case: Government agencies utilizing GeoServer for geospatial data management must prioritize patching to comply with CISA directives.
• Pitfall: Ignoring KEV catalog alerts can lead to mandatory patching under strict deadlines and potential compliance violations.

References:

• https://thehackernews.com/2025/12/cisa-flags-actively-exploited-geoserver.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://owasp.org/www-project-top-ten/