Detect OSGeo GeoServer XXE Injection Exploitation Attempt in Splunk
Detects exploitation attempts targeting CVE-2025-58360, an Improper Restriction of XML External Entity (XXE) Reference vulnerability in OSGeo GeoServer. Attackers can submit malicious XML payloads to GeoServer endpoints to perform server-side request forgery, read local files, or exfiltrate data via out-of-band DNS/HTTP channels. This CVE is listed on CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
SPL Detection Query
index=web OR index=proxy OR index=waf sourcetype IN ("access_combined", "iis", "nginx:access", "apache:access", "pan:traffic", "waf")
| where match(uri_path, "(?i)/geoserver/(wfs|wcs|wms|ows|web)")
| where method IN ("POST", "PUT")
| where match(request_body, "(?i)(<!ENTITY|SYSTEM\s+[\"']|<!DOCTYPE|file://|jar://|netdoc://)")
OR match(uri_query, "(?i)(ENTITY|DOCTYPE|SYSTEM)")
| eval xxe_score=0
| eval xxe_score=xxe_score + if(match(request_body, "(?i)<!ENTITY"), 3, 0)
| eval xxe_score=xxe_score + if(match(request_body, "(?i)SYSTEM"), 2, 0)
| eval xxe_score=xxe_score + if(match(request_body, "(?i)<!DOCTYPE"), 2, 0)
| eval xxe_score=xxe_score + if(match(request_body, "(?i)file://"), 3, 0)
| eval xxe_score=xxe_score + if(match(request_body, "(?i)(jar://|netdoc://|gopher://|dict://)"), 4, 0)
| where xxe_score >= 3
| stats count, max(xxe_score) as max_score, values(uri_path) as endpoints, values(src_ip) as source_ips, earliest(_time) as first_seen, latest(_time) as last_seen by dest_ip, src_ip
| sort -max_scoreDetects XXE injection attempts against GeoServer OGC endpoints by scoring request bodies for XXE-specific patterns including ENTITY declarations, SYSTEM identifiers, and dangerous URI schemes. Aggregates by source and destination IP.
Data Sources
Required Sourcetypes
False Positives & Tuning
- GeoServer schema validation requests that legitimately include DOCTYPE or ENTITY declarations for XML Schema Definition (XSD) imports
- Authorized penetration testing or vulnerability scanning activities against GeoServer infrastructure
- Legacy GIS client software that embeds XML entity references in WFS transaction requests
Other platforms for CVE-2025-58360
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1GeoServer XXE File Disclosure via WFS Request
Expected signal: Web server access log entry showing POST to /geoserver/wfs with 400/500 HTTP response status; GeoServer application log entry with SAXParseException or EntityException referencing file:///etc/passwd; network packet capture showing the XML payload in request body.
- Test 2GeoServer XXE SSRF to Cloud Metadata Endpoint
Expected signal: Outbound HTTP GET request from the GeoServer host to 169.254.169.254 visible in network flow logs or host-based network monitoring; web server log showing POST to /geoserver/wcs with the XXE payload.
- Test 3GeoServer Blind XXE Out-of-Band DNS Exfiltration
Expected signal: Outbound DNS resolution and HTTP GET request from GeoServer host to ATTACKER_DOMAIN visible in DNS logs and network flow telemetry; GeoServer application log may show entity resolution attempts or DTD fetch errors.
- Test 4GeoServer XXE via WMS GetMap Request with Malicious SLD
Expected signal: Web server access log showing GET to /geoserver/wms with SLD_BODY parameter containing DOCTYPE and ENTITY declarations; GeoServer log showing SLD parsing error with reference to file:///etc/hostname.
Unlock Pro Content
Get the full detection package for CVE-2025-58360 including response playbook, investigation guide, and atomic red team tests.