Impact
Connext Professional Core Libraries now allow an attacker to supply malformed XML that contains external entity references, leading to serialized data external linking. This flaw can expose sensitive data, such as files or network resources, to the attacker. The weakness corresponds to CWE-611. Since the vulnerability does not provide a direct code execution path, the primary impact is potential information disclosure, but it could be leveraged in a multi‑stage attack if additional exploitation steps are available.
Affected Systems
The affected vendor is RTI Connext Professional. The vulnerability impacts versions including 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, and from 4.3x before 5.2.*.
Risk and Exploitability
The CVSS score of 6.9 indicates a medium severity. The EPSS score of 0.00205 indicates a very low exploitation probability, and the vulnerability is not listed in CISA KEV. The likely attack vector is via an application or service that processes XML input using the Connext libraries (inferred from the vulnerability description). An attacker can craft XML that instructs the parser to fetch external entities; if the system allows such requests, sensitive information may be exfiltrated. The lack of a published exploit does not eliminate risk, given the potential for data disclosure and the medium severity score.
OpenCVE Enrichment