The vulnerability identified as CVE-2025-58360 is an XML External Entity (XXE) flaw in OSGeo GeoServer, a widely used open-source server for sharing geospatial data. This vulnerability affects all versions prior to 2.25.6 and versions 2.26.0 through 2.26.1. It arises from improper restriction of XML external entity references when processing XML input via the /geoserver/wms GetMap operation. An attacker can craft malicious XML payloads that define external entities, enabling them to read arbitrary files on the server, conduct Server-Side Request Forgery (SSRF) attacks to interact with internal systems, or exhaust server resources leading to denial-of-service (DoS). The flaw is unauthenticated, meaning no credentials are required to exploit it, significantly increasing its risk. The vulnerability has been actively exploited in the wild, as confirmed by CISA and the Canadian Centre for Cyber Security, leading to its inclusion in the Known Exploited Vulnerabilities catalog. The affected GeoServer packages include docker.osgeo.org/geoserver and Maven packages org.geoserver.web:gs-web-app and org.geoserver:gs-wms. Patches have been released in versions 2.25.6, 2.26.2, 2.27.0, 2.28.0, and 2.28.1. This vulnerability follows a previously exploited critical flaw (CVE-2024-36401) in the same software, indicating a pattern of targeted attacks against GeoServer. Given GeoServer's role in serving geospatial data for government, environmental, and commercial applications, exploitation could lead to data breaches, internal network reconnaissance, and service disruption.

For European organizations, the impact of CVE-2025-58360 can be significant due to GeoServer's widespread use in public sector agencies, environmental monitoring, urban planning, and private sector geospatial services. Successful exploitation can lead to unauthorized disclosure of sensitive geospatial data and internal network information, potentially exposing critical infrastructure layouts, environmental data, or proprietary business intelligence. SSRF capabilities could enable attackers to pivot into internal networks, escalating attacks against other systems. Denial-of-service attacks could disrupt essential geospatial services relied upon by emergency responders, transportation authorities, and utilities. The unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially in environments where GeoServer is exposed to the internet or insufficiently segmented. European organizations may face regulatory consequences under GDPR if personal or sensitive data is exposed. The ongoing active exploitation heightens urgency for mitigation to prevent operational disruption and data compromise.

1. Immediately upgrade GeoServer instances to patched versions 2.25.6, 2.26.2, or later as appropriate. 2. Restrict access to the /geoserver/wms GetMap endpoint using network segmentation, firewalls, or web application firewalls (WAFs) to limit exposure to trusted users and systems only. 3. Implement strict input validation and XML parsing configurations to disable external entity processing where possible. 4. Monitor GeoServer logs and network traffic for unusual XML payloads or SSRF attempts targeting internal resources. 5. Conduct internal vulnerability scans and penetration tests focusing on GeoServer endpoints to verify remediation. 6. Employ network-level controls to detect and block outbound connections initiated by GeoServer that could indicate SSRF exploitation. 7. Educate system administrators and security teams about the vulnerability and signs of exploitation to enable rapid incident response. 8. Review and harden overall geospatial data infrastructure, ensuring minimal exposure of critical services to public networks. 9. Coordinate with vendors and open-source communities for timely updates and security advisories.