The Cybersecurity and Infrastructure Security Agency has ordered federal civilian agencies to patch a critical unauthenticated XML External Entity vulnerability in GeoServer, tracked as CVE-2025-58360, and said it is being actively exploited in the wild.
The flaw affects GeoServer versions 2.26.1 and earlier and can allow attackers to retrieve arbitrary files from vulnerable servers, enabling data theft, denial-of-service and server-side request forgery against internal systems that the server can reach.
Security advisories and vulnerability databases indicate exploit code was circulating before coordinated fixes were available: posts from Wiz and the Canadian Centre for Cyber Security reported public proof-of-concept activity since late November, and CISA formally added the vulnerability to its Known Exploited Vulnerabilities catalog in December announcing the KEV listing.
Researchers say the bug stems from an insecurely configured XML parser and carries a high severity score, allowing unauthenticated file disclosure and potential SSRF. Internet scans show a substantial attack surface: dashboards from Shadowserver list thousands of IPs with GeoServer fingerprints and Shodan shows more than 14,000 exposed instances.
Experts cautioned that patching alone may not be sufficient given discovery and change-management constraints. The agency directed Federal Civilian Executive Branch agencies to patch before December 26, 2025, while security practitioners recommended compensating controls such as network segmentation and microsegmentation and adopting Zero Trust principles. CISA previously flagged other GeoServer vulnerabilities in June 2024 and July 2024 in separate notices June 2024 and July 2024.