CVE-2025-58360

OSGeo GeoServer XXE Injection Exploitation Attempt

Initial Access Credential Access Collection Last updated:

Detects exploitation attempts targeting CVE-2025-58360, an Improper Restriction of XML External Entity (XXE) Reference vulnerability in OSGeo GeoServer. Attackers can submit malicious XML payloads to GeoServer endpoints to perform server-side request forgery, read local files, or exfiltrate data via out-of-band DNS/HTTP channels. This CVE is listed on CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
OSGeo
Product
GeoServer

Weakness (CWE)

CWE-611

Timeline

Disclosed
December 11, 2025

CVSS

Unscored
Write-up coming soon

What is CVE-2025-58360 OSGeo GeoServer XXE Injection Exploitation Attempt?

OSGeo GeoServer XXE Injection Exploitation Attempt (CVE-2025-58360) maps to the Initial Access and Credential Access and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for OSGeo GeoServer XXE Injection Exploitation Attempt, covering the data sources and telemetry it touches: Web Application Firewall Logs, IIS Logs, CommonSecurityLog, Azure Diagnostics. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Credential Access Collection
Microsoft Sentinel / Defender
kusto 
union CommonSecurityLog, W3CIIISLog, AzureDiagnostics
| where TimeGenerated > ago(24h)
| where RequestURL has_any ("/geoserver/wfs", "/geoserver/wcs", "/geoserver/wms", "/geoserver/ows")
| where RequestMethod in ("POST", "PUT")
| where RequestBody has_any ("<!ENTITY", "SYSTEM", "<!DOCTYPE", "file://", "http://", "https://", "ftp://")
    or RequestURL has_any ("xxe", "entity", "DOCTYPE")
| extend XXEIndicators = dynamic(["<!ENTITY", "SYSTEM ", "<!DOCTYPE", "PUBLIC "])
| extend MatchedIndicators = array_length(set_intersect(todynamic(split(RequestBody, " ")), XXEIndicators))
| project TimeGenerated, RequestURL, RequestMethod, RequestBody, SourceIP, DestinationIP, Computer, MatchedIndicators
| order by TimeGenerated desc

Detects HTTP POST/PUT requests to GeoServer OGC service endpoints containing XXE injection markers such as ENTITY declarations, SYSTEM identifiers, or DOCTYPE declarations. Covers CommonSecurityLog, W3C IIS logs, and AzureDiagnostics tables.

critical severity high confidence

Data Sources

Web Application Firewall Logs IIS Logs CommonSecurityLog Azure Diagnostics

Required Tables

CommonSecurityLog W3CIIISLog AzureDiagnostics

False Positives

  • Legitimate GeoServer clients submitting large XML-based WFS or WCS requests with DOCTYPE declarations for schema validation
  • Security scanners and vulnerability assessment tools running authorized scans against GeoServer endpoints
  • Internal GIS applications sending XML with SYSTEM references for schema imports

Sigma rule & cross-platform mapping

The detection logic for OSGeo GeoServer XXE Injection Exploitation Attempt (CVE-2025-58360) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-58360 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-58360

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1GeoServer XXE File Disclosure via WFS Request

    Expected signal: Web server access log entry showing POST to /geoserver/wfs with 400/500 HTTP response status; GeoServer application log entry with SAXParseException or EntityException referencing file:///etc/passwd; network packet capture showing the XML payload in request body.

  2. Test 2GeoServer XXE SSRF to Cloud Metadata Endpoint

    Expected signal: Outbound HTTP GET request from the GeoServer host to 169.254.169.254 visible in network flow logs or host-based network monitoring; web server log showing POST to /geoserver/wcs with the XXE payload.

  3. Test 3GeoServer Blind XXE Out-of-Band DNS Exfiltration

    Expected signal: Outbound DNS resolution and HTTP GET request from GeoServer host to ATTACKER_DOMAIN visible in DNS logs and network flow telemetry; GeoServer application log may show entity resolution attempts or DTD fetch errors.

  4. Test 4GeoServer XXE via WMS GetMap Request with Malicious SLD

    Expected signal: Web server access log showing GET to /geoserver/wms with SLD_BODY parameter containing DOCTYPE and ENTITY declarations; GeoServer log showing SLD parsing error with reference to file:///etc/hostname.

Unlock Pro Content

Get the full detection package for CVE-2025-58360 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0006Credential AccessTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1083File and Directory DiscoveryT1048Exfiltration Over Alternative ProtocolT1071.001Web Protocols

Same Tactic: Initial Access

Popular Detections