Description
Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.
Published: 2026-04-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Connext Professional Core Libraries now allow an attacker to supply malformed XML that contains external entity references, leading to serialized data external linking. This flaw can expose sensitive data, such as files or network resources, to the attacker. The weakness corresponds to CWE-611. Since the vulnerability does not provide a direct code execution path, the primary impact is potential information disclosure, but it could be leveraged in a multi‑stage attack if additional exploitation steps are available.

Affected Systems

The affected vendor is RTI Connext Professional. The vulnerability impacts versions including 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, and from 4.3x before 5.2.*.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. The EPSS score of 0.00205 indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. The likely attack vector is via an application or service that processes XML input using the Connext libraries (inferred from the vulnerability description). An attacker can craft XML that instructs the parser to fetch external entities; if the system allows such requests, sensitive information may be exfiltrated. The lack of a published exploit does not eliminate risk, given the potential for data disclosure and the medium severity score.

Generated by OpenCVE AI on June 18, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Connext Professional to the latest patched versions (e.g., 7.7.0 or later, 7.3.1.1 or later, etc.) that address the XEE issue.
  • Configure the XML parser to disallow or ignore external entity references, ensuring that all XML input is processed without external network or file lookups.
  • Validate and sanitize all XML input sources, rejecting untrusted or externally sourced XML content before it reaches the Connext libraries.

Generated by OpenCVE AI on June 18, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.
Title Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking. Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Core Libraries) allows Serialized Data External Linking.

Mon, 04 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 30 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
Description Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.
Title Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.
First Time appeared Rti
Rti connext Professional
Weaknesses CWE-611
CPEs cpe:2.3:a:rti:connext_professional:*:*:*:*:*:*:*:*
Vendors & Products Rti
Rti connext Professional
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Rti Connext Professional
cve-icon MITRE

Status: PUBLISHED

Assigner: RTI

Published:

Updated: 2026-06-17T17:16:23.061Z

Reserved: 2025-12-11T15:00:13.943Z

Link: CVE-2025-14543

cve-icon Vulnrichment

Updated: 2026-04-30T15:42:18.952Z

cve-icon NVD

Status : Modified

Published: 2026-04-30T16:16:40.420

Modified: 2026-06-17T18:17:33.320

Link: CVE-2025-14543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-611

    Improper Restriction of XML External Entity Reference