RTI Connext Professional—including Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service—contains an improper restriction of XML External Entity (XXE) references. This flaw enables the processing of serialized data that can reference external XML entities. If an attacker supplies crafted XML, the affected components may read local files, access network resources, or execute code embedded in external entities, leading to data exfiltration or, in worst cases, arbitrary code execution.

The vulnerability affects the RTI Connext Professional product suite, specifically its Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service. No specific version information is provided; all released versions under the Connext Professional portfolio are potentially impacted until a patch is issued.

The CVSS v3.1 score is 7.0, indicating a high impact severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting current exploit evidence may be limited. However, the attack vector is inferred to be remote through untrusted XML input, meaning an attacker could remotely inject malicious XML payloads to trigger the vulnerability. Given the nature of XXE weaknesses and the high CVSS, the risk to affected systems remains significant until mitigated.