An XML External Entity (XXE) injection vulnerability exists in the APILocalEntryAdmin SOAP admin service, one of several services affected by insufficient authorisation checks (CVE-2025-9804). The addLocalEntry operation parses user-supplied XML without disabling external entity processing, and the resolved content can be retrieved directly via getEntry.
POST /services/APILocalEntryAdmin HTTP/1.1
Host: target
SOAPAction: "urn:addLocalEntry"
Content-Type: text/xml
...
<localEntry key="poc">
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<data>&xxe;</data>
</localEntry>
...
A subsequent call to getEntry with the same key returns the local entry with the entity resolved, exposing the file contents in the SOAP response. Unlike CVE-2025-2905, this vulnerability does not require out-of-band data exfiltration.
This vulnerability was responsibly disclosed and has been patched by the vendor.