CVE-2025-44043
📋 TL;DR
Keyoti SearchUnit versions before 9.0.0 are vulnerable to Server-Side Request Forgery (SSRF) in two specific endpoints. Attackers can force the server to read/write configuration and log files to attacker-controlled SMB servers. This affects all deployments using vulnerable SearchUnit versions.
💻 Affected Systems
- Keyoti SearchUnit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal sensitive configuration files, inject malicious configuration, or use the server as a pivot point for internal network reconnaissance.
Likely Case
Data exfiltration of configuration files containing sensitive information like database credentials, API keys, or internal network details.
If Mitigated
Limited to attempted connections that are blocked by network segmentation or SMB restrictions.
🎯 Exploit Status
Simple POST requests with manipulated indexDirectory parameter to attacker-controlled SMB server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.0
Vendor Advisory: https://keyoti.com/products/search/dotNetWeb/HtmlHelp9/?topic=UserGuide/Release%20Notes.htm
Restart Required: Yes
Instructions:
1. Download SearchUnit 9.0.0 or later from Keyoti. 2. Replace existing SearchUnit installation. 3. Restart the web application/service. 4. Verify endpoints no longer accept external indexDirectory values.
🔧 Temporary Workarounds
Network Segmentation
linuxBlock outbound SMB traffic from SearchUnit servers to prevent data exfiltration.
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --dport 445 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p udp --dport 445 -j DROP
firewall-cmd --reload
Input Validation
allImplement WAF rules to block requests containing SMB URLs in indexDirectory parameter.
🧯 If You Can't Patch
- Implement strict network egress filtering to block SMB protocol (TCP/UDP 445) from SearchUnit servers.
- Deploy web application firewall with rules to detect and block SSRF attempts targeting the vulnerable endpoints.
🔍 How to Verify
Check if Vulnerable:
Test by sending POST request to /Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults with indexDirectory pointing to controlled SMB server and monitoring for connection attempts.Check Version:
Check web.config or application manifest for SearchUnit version, or inspect assembly version of Keyoti.SearchEngine.dllVerify Fix Applied:
Attempt same SSRF test after patching - connection attempts to external SMB servers should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound SMB connections from web server
- POST requests to affected endpoints with unusual indexDirectory values
Network Indicators:
- Outbound SMB traffic (TCP/UDP 445) from web servers to external IPs
- DNS queries for suspicious SMB server names
SIEM Query:
source="web_logs" AND (uri="/Keyoti_SearchEngine_Web_Common/SearchService.svc/GetResults" OR uri="/Keyoti_SearchEngine_Web_Common/SearchService.svc/GetLocationAndContentCategories") AND post_data CONTAINS "\\\\"