CVE-2025-24404
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-11-04
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | hertzbeat | to 1.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-91 | The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an XML Injection Remote Code Execution (RCE) issue in Apache HertzBeat before version 1.7.0. An attacker with an authenticated account can add a monitor that parses XML. If the XML response contains specially crafted content, it can trigger the XML parsing vulnerability, potentially allowing the attacker to execute arbitrary code.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an authenticated attacker to execute arbitrary code on the system running Apache HertzBeat. This could lead to unauthorized control over the system, data compromise, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache HertzBeat to version 1.7.0 or later, as this version fixes the XML Injection RCE vulnerability. Additionally, ensure that only trusted authenticated users have access to add monitors parsed by XML to reduce risk.