Home / Threat Intelligence bulletins / PoC released for GeoServer vulnerability

Target Industry

Indiscriminate, opportunistic targeting.


A Proof of Concept (PoC) code has been released for a GeoServer vulnerability, tracked as CVE-2023-25157 (CVSSv3 base score: 9.8 – critical). The flaw pertains to a Structured Query Language (SQL) injection vulnerability in GeoServer, an open-source software server that enables users to share and modify geospatial data. The software provides support for the Website Feature Service (WFS) and Website Map Service (WMS) protocols, which uses Open Geospatial Consortium (OGC) filter expression language and OGC Common Query Language (CQL).

The PoC code requires the URL of the targeted vulnerable GeoServer, whereby it sends a GET request to the specified URL, parses the XML response, extracts the “Name” from each “FeatureType” element, and stores them in a list.


Successful exploitation of CVE-2023-25157 allows a threat actor to inject arbitrary SQL code into the expression, which is then executed in the database, thus leading to the compromise of the associated data.

Vulnerability Detection

GeoServer has released security updates with regards to this vulnerability. As such, previous versions are vulnerable to potential exploit.

Affected Products

GeoServer GeoTools Library.

Containment, Mitigations & Remediations

It is strongly recommended that users upgrade to either version 2.21.4, or version 2.22.2, as soon as possible. Users that are unable to apply the update immediately should follow the mitigation steps outlined in the GeoServer Advisory.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

GeoServer occupies a significant proportion of the open-source GIS Servers market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, GeoServer software could emerge as a prime target. Due to the fact that GeoServer has become an integral aspect of business operations within specific industry sectors, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Common Attack Pattern Enumeration and Classification (CAPEC):

CAPEC-66 – SQL Injection

Further Information

GeoServer Advisory

PoC Exploit Code

Intelligence Terminology Yardstick