CVE-2025-14543
XML External Entity Processing in RTI Connext Professional
Publication date: 2026-04-30
Last updated on: 2026-05-04
Assigner: RTI
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rti | connext_professional | From 5.3.0 (inc) to 5.3.1.45 (inc) |
| rti | connext_professional | From 6.0.0 (inc) to 6.0.1.40 (inc) |
| rti | connext_professional | From 6.1.0 (inc) to 6.1.2.27 (inc) |
| rti | connext_professional | From 7.0.0 (inc) to 7.3.1.1 (exc) |
| rti | connext_professional | From 7.4.0 (inc) to 7.7.0 (exc) |
| rti | connext_professional | From 4.3.0 (inc) to 5.2.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Improper Restriction of XML External Entity (XXE) Reference in Connext Professional (Core Libraries). It allows Serialized Data External Linking, meaning that the software improperly handles XML data that can reference external entities. This can lead to unintended access or processing of external resources when XML data is deserialized.
How can this vulnerability impact me? :
The vulnerability can have a high impact because it allows external linking through serialized XML data, which can lead to unauthorized access to external resources or sensitive data. Given the CVSS base score of 8.8, it indicates a high severity with network attack vector and no required privileges or user interaction, making it potentially exploitable remotely. This could result in data exposure, denial of service, or other security breaches.