CISA has ordered U.S. federal agencies to patch a critical GeoServer vulnerability now actively exploited in XML External Entity (XXE) injection attacks.

In such attacks, an XML input containing a reference to an external entity is processed by a weakly configured XML parser, allowing threat actors to launch denial-of-service attacks, access confidential data, or perform Server-Side Request Forgery (SSRF) to interact with internal systems.

The security flaw (tracked as CVE-2025-58360) flagged by CISA on Thursday is an unauthenticated XML External Entity (XXE) vulnerability in GeoServer 2.26.1 and prior versions (an open-source server for sharing geospatial data over the Internet) that can be exploited to retrieve arbitrary files from vulnerable servers.

“An XML External Entity (XXE) vulnerability was identified affecting GeoServer 2.26.1 and prior versions. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap,” a GeoServer advisory explains.

“However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request.”

The Shadowserver Internet watchdog group now tracks 2,451 IP addresses with GeoServer fingerprints, while Shodan reports over 14,000 instances exposed online.

​CISA has now added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) Catalog, warning that the flaw is being actively exploited in attacks and ordering Federal Civilian Executive Branch (FCEB) agencies to patch servers by January 1st, 2026, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

FCEB agencies are non-military agencies within the U.S. executive branch, such as the Department of Energy, the Department of the Treasury, the Department of Homeland Security, and the Department of Health and Human Services.

Although BOD 22-01 only applies to federal agencies, the U.S. cybersecurity agency urged network defenders to prioritize patching this vulnerability as soon as possible.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”

Last year, CISA also added OSGeo GeoServer JAI-EXT code injection (CVE-2022-24816) and GeoTools eval injection (CVE-2024-36401) vulnerabilities to its list of actively exploited security flaws.

As the cybersecurity agency revealed in September, the latter was exploited to breach an unnamed U.S. government agency in 2024 after compromising an unpatched GeoServer instance.