Categories: Cyber Security News

CISA Warns of OSGeo GeoServer 0-Day Vulnerability Exploited in Attacks

An urgent warning about a critical security flaw in OSGeo GeoServer, a widely used open-source geographic data-sharing server.

CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively leveraging this zero-day flaw in attacks targeting both public and private sectors.

The newly disclosed vulnerability, tracked as CVE-2025-58360, is classified as an Improper Restriction of XML External Entity (XXE) Reference.

This security gap exists within the application’s handling of XML input. Specifically involving the /geoserver/wms endpoint during GetMap operations.

Field	Details
CVE ID	CVE-2025-58360
Name	OSGeo GeoServer XXE Vulnerability
Description	XML input in `/geoserver/wms` GetMap is not properly restricted, allowing external XML entities.
Related CWE	CWE-611
Action	Apply vendor fixes, follow BOD 22-01 for cloud services, or stop using the product.

Security researchers have determined that the software fails to restrict external entities in XML requests properly.

By exploiting this weakness, remote attackers can define malicious external entities in their requests. Successful exploitation could allow unauthorized actors to view files on the server.

Interact with backend or external systems (Server-Side Request Forgery), or cause denial-of-service conditions.

The confirmation of active exploitation prompted CISA to intervene, requiring federal civilian executive branch (FCEB) agencies to immediately secure their systems.

In accordance with Binding Operational Directive (BOD) 22-01, CISA has mandated that all FCEB agencies must identify and mitigate this vulnerability by January 1, 2026.

While the mandate applies only to federal agencies, CISA strongly urges all organizations that use OSGeo GeoServer to prioritize this update.

The short remediation window reflects the severity of the threat and the active nature of current campaigns. Administrators are advised to apply the relevant vendor mitigations immediately.

If patches are not yet available for specific configurations, organizations should follow CISA’s guidance for cloud services. Consider temporarily discontinuing the use of the affected product until it can be secured.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of OSGeo GeoServer 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

CISA – Hackers Breached U.S. Federal Agency via GeoServer RCE

The Cybersecurity and Infrastructure Security Agency (CISA) has revealed that threat actors infiltrated a U.S. federal civilian executive branch agency by exploiting a remote code execution vulnerability in GeoServer. The incident, which persisted for more than three weeks, underscores the critical importance of prompt patching, rigorous incident response rehearsals, and…

September 24, 2025

In "Cyber Security News"

Hijacked Connections – How Cybercriminals Profit from Your Bandwidth

August 21, 2025

In "Cyber Security News"

CISA Warns of Actively Exploited 0-Day RCE Vulnerability in Samsung Mobile Devices

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical remote code execution vulnerability affecting Samsung mobile devices that is actively being exploited in real-world attacks. The flaw resides in the libimagecodec.quram.so library, a core component used for image processing on Samsung phones. Critical Security…

November 11, 2025

In "Cyber Security News"

rssfeeds-admin