CVE-2025-10183 | THREATINT

Description

A blind XML External Entity (XXE) injection in the OpenMessaging webservice in TecCom TecConnect 4.1 allows an unauthenticated attacker to exfiltrate arbitrary files to an attacker-controlled server. TecConnect 4.1 is considered end-of-life as of December 2023. Users are advised to upgrade to TecCom Connect 5.

PUBLISHED Reserved 2025-09-09 | Published 2025-09-09 | Updated 2025-09-09 | Assigner BLSOPS

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Problem types

CWE-611 Improper Restriction of XML External Entity Reference

Product status

Default status

unaffected

4.1

affected

References

blog.blacklanternsecurity.com/...-tecconnect-41-xml-external

cve.org (CVE-2025-10183)

nvd.nist.gov (CVE-2025-10183)

Download JSON