Ethical Hacking News
CISA has issued an urgent alert regarding a critical GeoServer vulnerability that is being actively exploited by hackers, warning Federal Civilian Executive Branch (FCEB) agencies to patch their servers by January 1st, 2026. The identified vulnerability allows threat actors to launch denial-of-service attacks, access confidential data, or perform SSRF to interact with internal systems.
CISA has issued an urgent alert about a critical vulnerability in GeoServer, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF). The vulnerability is an unauthenticated XML External Entity (XXE) injection flaw in GeoServer 2.26.1 and prior versions. Over 14,000 instances of GeoServer have been exposed online, with 2,451 IP addresses bearing fingerprints of vulnerable servers. CISA has added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to patch their servers by January 1st, 2026. Federal agencies are advised to prioritize patching this vulnerability as soon as possible.
The U.S. cybersecurity agency, CISA (Cybersecurity and Infrastructure Security Agency), has issued an urgent alert to federal agencies regarding a critical vulnerability in the GeoServer open-source server for sharing geospatial data over the internet. The vulnerability, tracked as CVE-2025-58360, was identified by Shadowserver Internet watchdog group and allows threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems.
According to CISA, the vulnerability is an unauthenticated XML External Entity (XXE) injection flaw in GeoServer 2.26.1 and prior versions. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap, but fails to sufficiently sanitize or restrict this input, allowing attackers to define external entities within the XML request.
The Shadowserver Internet watchdog group has reported over 14,000 instances of GeoServer exposed online, with 2,451 IP addresses bearing fingerprints of vulnerable servers. This indicates that a significant number of organizations are currently using outdated versions of GeoServer or have failed to apply necessary patches to mitigate this vulnerability.
In response to the identified vulnerability, CISA has added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is being actively exploited in attacks. The agency also ordered Federal Civilian Executive Branch (FCEB) agencies to patch their servers by January 1st, 2026, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Federal agencies are advised to prioritize patching this vulnerability as soon as possible, with applicable guidance available from vendor instructions and BOD 22-01 for cloud services. If patches are unavailable, it is recommended that organizations discontinue use of the product until a solution can be applied.
This incident highlights the importance of keeping software up-to-date, monitoring for known vulnerabilities, and taking proactive measures to address potential security risks. The exploitation of this vulnerability also underscores the continued threat posed by XML External Entity (XXE) injection attacks, which can have severe consequences for organizations handling sensitive data.
In recent years, CISA has issued warnings about other GeoServer vulnerabilities, including OSGeo GeoServer JAI-EXT code injection (CVE-2022-24816) and GeoTools eval injection (CVE-2024-36401), both of which were exploited to breach U.S. government agencies in 2022 and 2024 respectively.
The recent alert from CISA serves as a reminder for organizations to review their software updates regularly, implement robust security measures, and maintain vigilance against emerging threats. By taking proactive steps to address this vulnerability, federal agencies can significantly reduce the risk of exploitation and protect sensitive data from falling into the wrong hands.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Issues-Urgent-Alert-Geoserver-Vulnerability-Exploited-by-Hackers-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-geoserver-flaw/
https://nvd.nist.gov/vuln/detail/CVE-2025-58360
https://www.cvedetails.com/cve/CVE-2025-58360/
https://www.shadowserver.org/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Fri Dec 12 04:05:58 2025 by llama3.2 3B Q4_K_M
