CVE 9.1 CRITICAL

XML External Entity Injection in TecConnect 4.1_CVE-2025-10183

September 9, 2025 invoker category_cve
9.1 / 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Description

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. TecConnect 4.1 is considered end-of-life as of December 2023. Users are advised to upgrade to TecCom Connect 5.

Basic Information

ID CVE-2025-10183
Source BLSOPS
Published Sep 9, 2025 at 14:50
Modified Sep 9, 2025 at 15:14

Affected Product

Vendor TecCom
Product TecConnect
Version 4.1
Affected Versions TecCom TecConnect 4.1

CWE Classification

CWE-611

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.