CVE-2025-44044
📋 TL;DR
Keyoti SearchUnit versions before 9.0.0 are vulnerable to XML External Entity (XXE) attacks. This allows attackers who can submit malicious XML/DTD files to read arbitrary files from the server's filesystem. Any organization using vulnerable SearchUnit versions is affected.
💻 Affected Systems
- Keyoti SearchUnit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server file system disclosure including sensitive configuration files, credentials, and system files leading to full system compromise.
Likely Case
Exfiltration of web application configuration files, source code, and sensitive data files accessible to the web server process.
If Mitigated
Limited file access restricted by web server permissions and network segmentation preventing lateral movement.
🎯 Exploit Status
XXE exploitation is well-documented and automated tools exist. The vulnerability requires XML parsing capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.0
Vendor Advisory: https://keyoti.com/products/search/dotNetWeb/HtmlHelp9/?topic=UserGuide/Release%20Notes.htm
Restart Required: Yes
Instructions:
1. Download SearchUnit 9.0.0 or later from Keyoti. 2. Replace existing SearchUnit installation with patched version. 3. Restart the application/service. 4. Test XML parsing functionality.
🔧 Temporary Workarounds
Disable XXE in XML parser
allConfigure XML parser to disable external entity resolution
Set XmlReaderSettings.DtdProcessing = DtdProcessing.Prohibit
Set XmlReaderSettings.XmlResolver = null
Input validation and filtering
allFilter or reject XML containing DOCTYPE declarations and external entity references
🧯 If You Can't Patch
- Implement WAF rules to block XML containing DOCTYPE and external entity references
- Network segmentation to isolate SearchUnit instances and restrict file system access
🔍 How to Verify
Check if Vulnerable:
Check SearchUnit version in application configuration or assembly info. Test with XXE payload: <?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>Check Version:
Check assembly version or consult application configuration files for SearchUnit versionVerify Fix Applied:
Attempt XXE exploitation after patch. Verify version is 9.0.0+. Test with same XXE payload should return error or empty result.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- File access attempts from web process
- Large XML payloads with DOCTYPE declarations
Network Indicators:
- HTTP requests containing XML with DOCTYPE and SYSTEM entities
- Outbound connections attempting to fetch external DTDs
SIEM Query:
source="web_logs" AND (xml OR dtd OR doctype) AND (file:// OR http:// OR ftp://) AND status=200