DIVD-2025-00033 - Remote Code Execution in GeoServer versions below 2.27.0, 2.26.2 and 2.25.6
| Our reference | DIVD-2025-00033 |
| Case lead | Victor Pasman |
| Researcher(s) | |
| CVE(s) | |
| Product | GeoServer |
| Versions | GeoServer below 2.27.0, 2.26.2, 2.25.6 |
| Recommendation | Update to versions 2.27.0, 2.26.2, 2.25.6, or later |
| Patch status | Fully patched |
| Workaround | None |
| Status | Open |
| Last modified | 11 Jul 2025 11:35 CEST |
Summary
GeoServer contains a critical Remote Code Execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server via a XML Code Injection. Successful exploitation can result in full system compromise, including access to credentials, sensitive data, and hosted servers. The issue has been resolved in version 2.27.0, 2.26.2, 2.25.6 or higher, of GeoServer. It is strongly recommended to update to the latest version as soon as possible.
What you can do
It is strongly advised that all impacted organisations immediately update their GeoServer installations to the latest available version (2.27.0, 2.26.2, 2.25.6 or later) as described in the following Advisory.
What we are doing
DIVD is currently working to identify parties that are running a vulnerable version of GeoServer and to notify these parties.
Timeline
| Date | Description |
|---|---|
|
18 Jun 2025- 18 Jun 2025 |
GeoServer published the vulnerability |
|
04 Jul 2025- 04 Jul 2025 |
DIVD starts scanning the internet for GeoServer instances. |
|
09 Jul 2025- 09 Jul 2025 |
DIVD sent out a first batch of notifications. |