CVE-2025-6438

MEDIUM

SOAP API - XML External Entity Injection

Title source: llm

Description

A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is accessed via the network using an application account.

References (2)

[Various Sources] https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-189-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-189-01.pdf

[Mailing List] http://seclists.org/fulldisclosure/2025/Jul/5

Scores

CVSS v4 5.9

EPSS 0.0007

EPSS Percentile 21.4%

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

Schneider Electric/EcoStruxure™ IT Data Center Expert 8.3 - Prior to

Published Jul 11, 2025

Tracked Since Feb 18, 2026