Impact
RTI Connext Professional, encompassing services such as Cloud Discovery, Recording, Routing, Queueing, and Observability Collector, contains an Improper Restriction of XML External Entity (XXE) reference vulnerability. The flaw permits the processing of serialized data that references external XML entities, enabling serialized data external linking and Data Serialization External Entities Blowup. An attacker who supplies crafted XML can trigger the vulnerability, potentially reading local files, accessing network resources, or causing denial‑of‑service by exhausting resources through blowup. In severe cases, this may provide a vector for arbitrary code execution.
Affected Systems
The vulnerability affects the RTI Connext Professional product suite, specifically its Routing Service, Observability Collector, Recording Service, Queueing Service, and Cloud Discovery Service. Affected versions include 7.4.0 before 7.7.0, 7.1.0 before 7.3.1.1, 6.1.0 before 6.1.2.34, 6.0.0 before 6.0.*, and 5.3.0 before 5.3.*.
Risk and Exploitability
The CVSS v3.1 score is 7.0, indicating a high impact severity. EPSS score is < 1%, suggesting a low exploitation probability, and the issue is not listed in the CISA KEV catalog, indicating limited exploitation evidence. However, the attack vector is inferred to be remote through untrusted XML input, meaning an attacker could remotely inject malicious XML payloads to trigger the vulnerability. Given the nature of XXE weaknesses and the high CVSS, the risk to affected systems remains significant until mitigated.
OpenCVE Enrichment