cbcvebase.
CVE-2015-0921
published 2015-01-09

CVE-2015-0921: XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote…

PriorityP340medium4CVSS 2.0
AVNACLAuSCPINAN
EXPLOIT
EPSS
17.36%
96.7th percentile
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.

Affected

5 ranges
VendorProductVersion rangeFixed in
mcafeeepolicy_orchestrator<= 4.6.8
mcafeeepolicy_orchestrator
mcafeeepolicy_orchestrator
mcafeeepolicy_orchestrator
mcafeeepolicy_orchestrator

Detection & IOCsextracted from sources · hover to see the quote

urlorionUpdateTableFilter.do
pathkeystore.properties
otherconditionXML
  • Monitor HTTP requests targeting the 'orionUpdateTableFilter.do' endpoint, specifically for the 'conditionXML' parameter containing XML external entity declarations (e.g., DOCTYPE or ENTITY keywords).
  • Alert on authenticated requests to ePO that attempt to read 'keystore.properties' from the filesystem via XXE, as this file contains an encrypted password reused for the database 'sa' user and the admin account.
  • Detect outbound or internal file-read responses from the ePO server that include content consistent with keystore.properties (encrypted credential material), which may indicate successful XXE exploitation.
  • Flag any subsequent SQL Server authentication attempts from the ePO host or external IPs using the 'sa' account, which may indicate post-exploitation following credential recovery via this XXE.
  • ·Exploitation requires valid authenticated credentials — any low-privileged ePO user account is sufficient to trigger the XXE.
  • ·The XXE data exfiltration is capped at 255 characters due to field length restrictions, which may truncate recovered credential material.
  • ·The recovered password is encrypted with a static key using weak ECB cipher mode, making offline decryption feasible for an attacker.
  • ·Post-exploitation SQL Server RCE risk is elevated if ePO was installed with a local SQL Server instance, as it listens on all interfaces by default.
  • ·The admin account password is also at risk if the administrator has not changed it since initial installation (default recommendation is 'admin').
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.