CVE-2025-47184
📋 TL;DR
An authenticated attacker can exploit an XML external entities (XXE) injection vulnerability in Exagrid EX10's /init API endpoint to read sensitive files and escalate privileges. This affects Exagrid EX10 systems running vulnerable software versions before specific patch levels. Attackers need valid credentials but no special privileges.
💻 Affected Systems
- Exagrid EX10
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation leading to data exfiltration, system manipulation, or lateral movement within the network.
Likely Case
Information disclosure of sensitive system files, configuration data, or credentials stored on the Exagrid appliance.
If Mitigated
Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires crafting malicious ISys XML messages and sending them to the vulnerable endpoint. Authentication is required but no special privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.0 P20, 7.0.1 P12, or 7.2.0 P08
Vendor Advisory: https://www.exagrid.com/exagrid-products/exagrid-product-line/
Restart Required: No
Instructions:
1. Identify your current Exagrid EX10 software version. 2. Download the appropriate patch from Exagrid support portal. 3. Apply the patch following Exagrid's update procedures. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable XXE Processing
allConfigure the XML parser to disable external entity resolution if supported by the application.
Restrict API Access
allImplement network segmentation and firewall rules to limit access to the /init API endpoint to only trusted systems.
🧯 If You Can't Patch
- Implement strict access controls and monitor all access to the /init API endpoint.
- Deploy network segmentation to isolate Exagrid systems from untrusted networks.
🔍 How to Verify
Check if Vulnerable:
Check the Exagrid EX10 software version via the management interface or CLI. If version is before 6.4.0 P20, 7.0.1 P12, or 7.2.0 P08, the system is vulnerable.Check Version:
Check via Exagrid web interface or consult Exagrid documentation for CLI commands specific to your deployment.Verify Fix Applied:
After patching, verify the software version shows 6.4.0 P20, 7.0.1 P12, or 7.2.0 P08 or later.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors in application logs
- Multiple failed authentication attempts followed by XML requests to /init endpoint
- Outbound connections to external domains from the Exagrid system
Network Indicators:
- XML payloads containing external entity declarations sent to /init API endpoint
- Unusual data exfiltration patterns from the Exagrid system
SIEM Query:
source="exagrid" AND (uri_path="/init" AND content_type="application/xml") AND (xml_content CONTAINS "<!ENTITY" OR xml_content CONTAINS "SYSTEM")