CVE-2025-66370
📋 TL;DR
Kivitendo ERP software versions before 3.9.2 contain an XML External Entity (XXE) injection vulnerability in the ZUGFeRD electronic invoice upload functionality. Attackers can exploit this by uploading specially crafted invoices to read arbitrary files from the server filesystem. This affects all Kivitendo installations using vulnerable versions with invoice upload capabilities.
💻 Affected Systems
- Kivitendo ERP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through file exfiltration of sensitive configuration files, database credentials, or SSH keys, potentially leading to lateral movement within the network.
Likely Case
Exfiltration of sensitive business data, configuration files, or user information from the server filesystem.
If Mitigated
Limited impact due to proper file permissions, network segmentation, and input validation controls preventing successful exploitation.
🎯 Exploit Status
Exploitation requires access to upload ZUGFeRD invoices, which typically requires authenticated access. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.2
Vendor Advisory: https://blog.kivitendo.de/?p=1415
Restart Required: No
Instructions:
1. Backup your Kivitendo installation and database. 2. Update to Kivitendo version 3.9.2 or later. 3. Verify the update by checking the version in the admin interface.
🔧 Temporary Workarounds
Disable ZUGFeRD invoice upload
allTemporarily disable the vulnerable ZUGFeRD invoice upload functionality until patching can be completed.
Implement XML input validation
allConfigure web application firewall or proxy to validate and sanitize XML input before processing.
🧯 If You Can't Patch
- Implement strict file permission controls to limit accessible files on the server
- Deploy network segmentation to isolate Kivitendo servers from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check Kivitendo version in admin interface or via 'cat /path/to/kivitendo/VERSION' command. If version is below 3.9.2, system is vulnerable.Check Version:
cat /path/to/kivitendo/VERSIONVerify Fix Applied:
Verify version is 3.9.2 or higher and test ZUGFeRD invoice upload functionality with safe test files.📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors
- Large XML file uploads
- Multiple failed invoice upload attempts
- Access to sensitive file paths in logs
Network Indicators:
- XML payloads with external entity references in HTTP POST requests
- Outbound connections to external servers from the Kivitendo application
SIEM Query:
source="kivitendo.log" AND ("XXE" OR "external entity" OR "DOCTYPE" OR "SYSTEM")🔗 References
- https://blog.kivitendo.de/?p=1415
- https://github.com/kivitendo/kivitendo-erp/blob/fd3f993fc731cbcaa5eb87d55df7c82df4df9c09/doc/changelog
- https://github.com/kivitendo/kivitendo-erp/commit/1286dee72f9919166178d0cdb5f52f13b0f7d4de
- https://github.com/kivitendo/kivitendo-erp/commit/f6ba56bd8d22a428534057589baace6b7bfdf2e9
- https://invoice.secvuln.info
