Connext Professional Core Libraries expose an improper restriction on XML External Entity references, enabling serialized data external linking. The vulnerability can be exploited by supplying malicious XML that references external resources, potentially allowing an attacker to read arbitrary files or network content. While it does not directly lead to code execution, the exposed data could be used for further attacks, and based on the description, it is inferred that in some configurations could result in remote code execution. The weakness is identified as CWE-611, representing a failure to validate and restrict XML external entities.

The affected vendor is RTI Connext Professional. The vulnerability impacts versions including 7.4.0 through 7.6.x, 7.0.0 through 7.3.1.0, 6.1.x, 6.0.x, 5.3.x, and 4.3x through 5.1.x. Specifically, versions 7.4.0 up to but not including 7.7.0; 7.0.0 up to 7.3.1.1; 6.1.0 up to any 6.1.*; 6.0.0 up to any 6.0.*; 5.3.0 up to any 5.3.*; and 4.3x up to 5.2.* are affected.

The CVSS score of 6.9 indicates a medium severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is via an application or service that processes XML input using the Connext libraries. An attacker can craft XML that instructs the parser to fetch external entities; if the system allows such requests, sensitive information may be exfiltrated. The lack of a published exploit does not eliminate risk, given the potential for data disclosure and the medium severity score.