TryHackMe | GeoServer: CVE-2025-58360 | WriteUp

Explore the GeoServer XXE vulnerability CVE-2025-58360 from exploit to defense

Axoloth

~2 min read · January 27, 2026 (Updated: January 27, 2026) · Free: No

Disclaimer: This writeup is based on a Capture The Flag (CTF) challenge hosted on TryHackMe and it is intended for educational purposes only.

An XML External Entity (XXE) vulnerability was discovered in GeoServer in late 2025 and assigned CVE-2025–58360. This flaw allows unauthenticated attackers to perform arbitrary file reads on the host server and abuse the application for Server-Side Request Forgery (SSRF). The vulnerability received a critical severity rating, with a CVSS score of 9.8, as assessed by NIST.

GeoServer is widely used by governments and private organizations to publish and manage geospatial data, making vulnerabilities in this platform particularly impactful when exposed to the internet. In this room, we will explore GeoServer and its role in real-world infrastructure, walk through exploitation using crafted XML payloads, analyze artifacts left by an attacker, and discuss detection methods.

Task 1 Introduction

I understand the learning objectives and am ready to get started with CVE-2025–58360!

No answer needed

Task 2 Exploring GeoServer

In which city and state is the TryMapMe South regional office located?

Austin, Texas

Investigate the remaining TryMapMe regional offices. What is the hidden flag value?

THM{geoserver_in_action!}

Try out the DescribeLayer curl request from above to investigate the trymapme_offices layer. Which owsType is listed in the DescribeLayer response?

WFS

Task 3 Exploiting GeoServer

Which GeoServer operation does the XML External Entity vulnerability take advantage of?

GetMap

Modify your XML payload or use the Metasploit module to exploit the server. What is the flag located at /home/ubuntu/flag.txt?

THM{geoserver_exploited!}

Task 4 Detecting GeoServer

How many POST requests are found within the available investigation log data?

2

Which source.ip is responsible for the POST requests sent to the server?

203.0.113.45

Highlight the file_output field in the geoserver_app logs. What is the password found for the user trymapme?

you_found_me!

Continue investigating the geoserver_app logs. What is the flag value the attacker found?

THM{detect_geoserver_xxe!}

Task 5 Conclusion

Complete the room and continue on your cyber learning journey!

No answer needed

#tryhackme #tryhackme-walkthrough #tryhackme-writeup #cve #cybersecurity

TryHackMe | GeoServer: CVE-2025-58360 | WriteUp

Explore the GeoServer XXE vulnerability CVE-2025-58360 from exploit to defense

Reporting a Problem