CISA has ordered U.S. federal businesses to patch a crucial GeoServer vulnerability now actively exploited in XML Exterior Entity (XXE) injection assaults.
In such assaults, an XML enter containing a reference to an exterior entity is processed by a weakly configured XML parser, permitting menace actors to launch denial-of-service assaults, entry confidential information, or carry out Server-Facet Request Forgery (SSRF) to work together with inner programs.
The safety flaw (tracked as CVE-2025-58360) flagged by CISA on Thursday is an unauthenticated XML Exterior Entity (XXE) vulnerability in GeoServer 2.26.1 and prior variations (an open-source server for sharing geospatial information over the Web) that may be exploited to retrieve arbitrary recordsdata from weak servers.
“An XML Exterior Entity (XXE) vulnerability was recognized affecting GeoServer 2.26.1 and prior variations. The appliance accepts XML enter by a particular endpoint /geoserver/wms operation GetMap,” a GeoServer advisory explains.
“Nevertheless, this enter isn’t sufficiently sanitized or restricted, permitting an attacker to outline exterior entities throughout the XML request.”
The Shadowserver Web watchdog group now tracks 2,451 IP addresses with GeoServer fingerprints, whereas Shodan stories over 14,000 situations uncovered on-line.
​CISA has now added CVE-2025-58360 to its Identified Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is being actively exploited in assaults and ordering Federal Civilian Government Department (FCEB) businesses to patch servers by January 1st, 2026, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
FCEB businesses are non-military businesses throughout the U.S. government department, such because the Division of Vitality, the Division of the Treasury, the Division of Homeland Safety, and the Division of Well being and Human Providers.
Though BOD 22-01 solely applies to federal businesses, the U.S. cybersecurity company urged community defenders to prioritize patching this vulnerability as quickly as attainable.
“All these vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” CISA stated. “Apply mitigations per vendor directions, observe relevant BOD 22-01 steerage for cloud providers, or discontinue use of the product if mitigations are unavailable.”
Final 12 months, CISA additionally added OSGeo GeoServer JAI-EXT code injection (CVE-2022-24816) and GeoTools eval injection (CVE-2024-36401) vulnerabilities to its checklist of actively exploited safety flaws.
Because the cybersecurity company revealed in September, the latter was exploited to breach an unnamed U.S. authorities company in 2024 after compromising an unpatched GeoServer occasion.
Damaged IAM is not simply an IT drawback – the impression ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM seems to be like, and a easy guidelines for constructing a scalable technique.
