CISA Mandates Federal Patch for Actively Exploited Geoserver Flaw
▼ Summary
– CISA has ordered U.S. federal agencies to patch a critical, actively exploited XXE vulnerability (CVE-2025-58360) in GeoServer by January 1, 2026.
– The vulnerability allows attackers to submit malicious XML to retrieve arbitrary files from vulnerable servers due to insufficient input sanitization.
– Internet scans show thousands of GeoServer instances are exposed online, with over 14,000 reported by Shodan.
– While the binding directive applies to federal civilian agencies, CISA urges all network defenders to prioritize patching this flaw immediately.
– This follows a pattern, as CISA has previously added other exploited GeoServer vulnerabilities to its catalog, including one used in a 2024 government breach.
A critical security vulnerability in GeoServer, an open-source platform for sharing geospatial data, has prompted an urgent federal mandate. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal civilian agencies to patch this actively exploited flaw, which allows attackers to steal sensitive files from vulnerable servers. This directive underscores the severe risk posed by unpatched software in government networks.
The specific issue is an unauthenticated XML External Entity (XXE) injection vulnerability, tracked as CVE-2025-58360. It affects GeoServer version 2.26.1 and all earlier releases. The weakness exists in a specific web endpoint (`/geoserver/wms` operation `GetMap`) that processes XML data. Because the input is not properly restricted, an attacker can craft a malicious XML request that forces the server to disclose arbitrary files from its system. This type of flaw is a common vector for data theft, denial-of-service attacks, and probing internal networks.
CISA has placed this vulnerability in its Known Exploited Vulnerabilities (KEV) Catalog, confirming it is being used in real-world attacks. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies, which include departments like Energy, Treasury, and Homeland Security, must apply the necessary patches by January 1, 2026. While the order is legally binding for federal agencies, CISA strongly advises all organizations using GeoServer to prioritize this update immediately.
The scale of the exposure is significant. Internet monitoring groups report thousands of GeoServer instances are currently accessible online, representing a large pool of potential targets for malicious actors. Failing to address this vulnerability could lead to substantial data breaches and system compromises.
This is not the first time GeoServer has been in CISA’s crosshairs. The agency previously added similar flaws to its KEV catalog, including code injection vulnerabilities tracked as CVE-2022-24816 and CVE-2024-36401. In one disclosed incident from 2024, attackers successfully breached a U.S. government agency by exploiting an unpatched GeoServer instance, demonstrating the tangible consequences of delayed updates.
CISA’s public guidance is clear: administrators must apply vendor-provided patches without delay. If mitigation is not possible, the agency recommends following specific cloud service guidance or discontinuing use of the product altogether to eliminate the risk. Proactive patching remains the most effective defense against these pervasive and dangerous threats.
(Source: Bleeping Computer)
