CVE-2024-35532

Critical

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0008 24.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

An XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea 2022.12, 2022.13, and 2022.14 allows attackers to perform arbitrary file reading under the privileges of the running process, make SSRF requests, or cause a Denial of Service (DoS) via unspecified vectors.

Security Summary

CVE-2024-35532 is an XML External Entity (XXE) injection vulnerability in Intersec Geosafe-ea versions 2022.12, 2022.13, and 2022.14. Published on 2025-01-07, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) and is linked to CWE-125.

The vulnerability enables remote attackers requiring no privileges or user interaction to exploit it over the network with low attack complexity. Exploitation allows arbitrary file reading under the privileges of the running process, Server-Side Request Forgery (SSRF) requests, or Denial of Service (DoS) conditions via unspecified vectors.

Mitigation guidance is available in the Post Cyber Labs advisory at https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2024-35532.pdf and on the vendor's public safety page at https://intersec.com/public-safety.

Details

CWE(s): CWE-125

References

https://github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2024-35532.pdf
cve@mitre.org
https://intersec.com/public-safety
cve@mitre.org