CVE-2025-54964
📋 TL;DR
This vulnerability in BAE SOCET GXP allows attackers to inject arbitrary executables through the GXP Job Service. If the service is configured for local-only access, it could lead to privilege escalation; if network accessible, it enables remote command execution. Organizations using SOCET GXP versions before 4.6.0.2 are affected.
💻 Affected Systems
- BAE SOCET GXP
📦 What is this software?
Socet Gxp by Baesystems
⚠️ Risk & Real-World Impact
Worst Case
Remote attackers execute arbitrary commands with Job Service privileges, potentially gaining full system control if the service runs with elevated permissions.
Likely Case
Local authenticated users escalate privileges by injecting malicious executables through the Job Service interface.
If Mitigated
With proper network segmentation and least-privilege service accounts, impact is limited to the Job Service's capabilities.
🎯 Exploit Status
Exploitation requires ability to interact with the Job Service; complexity depends on service configuration and access controls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0.2
Vendor Advisory: https://www.geospatialexploitationproducts.com/content/socet-gxp/vulnerabilities-disclosure/#cve-2025-54964
Restart Required: Yes
Instructions:
1. Download SOCET GXP version 4.6.0.2 from BAE Systems. 2. Install the update following vendor documentation. 3. Restart all SOCET GXP services including the Job Service.
🔧 Temporary Workarounds
Restrict Job Service Network Access
allConfigure firewall rules to block external access to the GXP Job Service port (default 8080).
# Windows: netsh advfirewall firewall add rule name="Block GXP Job Service" dir=in action=block protocol=TCP localport=8080
# Linux: iptables -A INPUT -p tcp --dport 8080 -j DROP
Run Job Service with Least Privilege
allConfigure the Job Service to run under a low-privilege service account.
# Windows: sc config "GXPJobService" obj="DOMAIN\LowPrivUser" password="password"
# Linux: Edit service unit file to set User=lowprivuser
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SOCET GXP systems from untrusted networks.
- Apply principle of least privilege to all service accounts and regularly audit Job Service access logs.
🔍 How to Verify
Check if Vulnerable:
Check SOCET GXP version in application interface or installation directory; versions below 4.6.0.2 are vulnerable.Check Version:
# Windows: Check "About" in SOCET GXP GUI or registry HKEY_LOCAL_MACHINE\SOFTWARE\BAE Systems\SOCET GXP\Version
# Linux: Check /opt/BAE/SOCET_GXP/version.txt or package managerVerify Fix Applied:
Verify installed version is 4.6.0.2 or higher and test Job Service functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual Job Service process creation events
- Suspicious command execution via Job Service logs
- Failed authentication attempts to Job Service
Network Indicators:
- Unexpected connections to Job Service port (default 8080)
- Malformed Job Service protocol requests
SIEM Query:
source="*gxp*" AND (event_type="process_creation" AND parent_process="GXPJobService") OR (destination_port=8080 AND protocol="TCP")