CVE-2024-39847 - Vulnerability Details

- Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP

Description

Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.

Published: 2026-04-30

Score: 8.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw stems from the XML parser employed by the SOAP endpoints of 4D Server, permitting an unauthenticated attacker to send a crafted XML payload that triggers the XML External Entity (XXE) functionality. This results in the ability to read arbitrary files on the server and on adjacent shared resources, and to issue HTTP GET requests to any target host reachable from the server—effectively a Server‑Side Request Forgery (SSRF). The weakness, classified as CWE‑611, exposes confidential data and permits potential lateral movement within the network.

Affected Systems

The vulnerability targets the 4D Server product (4D:4D Server) on Windows platforms. All releases preceding 4D Server 20 R 7 are affected; the 20 R 7 build and later contain the fix and are no longer vulnerable.

Risk and Exploitability

With a CVSS v3.1 score of 8.7 the flaw is considered high severity. Attackers need no credentials and can reach the vulnerable SOAP service over the network, making remote exploitation straightforward. Although the EPSS score is currently unknown and the issue has not yet been recorded in the CISA KEV catalog, the potential for data exfiltration and internal pivoting renders the risk significant for exposed deployments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

4D Server

unaffected

Version	Status	Constraints
`*`	affected	≤ v20 R3
`v20 R4`	unknown	≤ v20 R6
`v20 R7`	unaffected	—

No data.

Vendor Product Confidence Versions

Server

95%

Version	Status	Scheme	Platform
`[0,v20 R3]`	affected	generic	—
`v20 R7`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update to 4D Server 20 R7 or higher.

OpenCVE Recommended Actions

Upgrade 4D Server to version 20 R 7 or later, which includes the XML External Entity mitigation.
If an upgrade cannot be performed immediately, restrict access to the SOAP endpoints to a trusted set of IP addresses or a dedicated network segment using firewalls or ACLs.
Monitor the server for unusual outbound HTTP traffic and for attempts to access sensitive file paths; consider deploying intrusion detection rules that flag suspicious XML payloads.
If the product allows configuration changes, temporarily disable XML External Entity support in the SOAP engine configuration as a last‑resort mitigation.

Generated by OpenCVE AI on April 30, 2026 at 13:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://4d.com
https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/

History

Thu, 30 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		4d server
Vendors & Products		4d server

Thu, 30 Apr 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services.
Title		Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP
First Time appeared		4d 4d 4d Server
Weaknesses		CWE-611
CPEs		cpe:2.3:a:4d:4d_server:::windows:::::* cpe:2.3:a:4d:4d_server:v20_r7::windows:::::
Vendors & Products		4d 4d 4d Server
References		https://4d.com https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y'}`

Subscriptions

4d 4d Server Server

MITRE

Status: PUBLISHED

Assigner: SCHUTZWERK

Published: 2026-04-30T07:10:17.999Z

Updated: 2026-04-30T13:00:38.371Z

Reserved: 2024-06-29T20:55:54.740Z

Link: CVE-2024-39847

Vulnrichment

Updated: 2026-04-30T13:00:35.414Z

NVD

Status : Awaiting Analysis

Published: 2026-04-30T07:16:36.143

Modified: 2026-04-30T15:48:26.580

Link: CVE-2024-39847

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T13:45:23Z

Weaknesses

CWE-611

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object