CVE-2025-24404 in HertzBeat
Summary
by MITRE • 09/09/2025
XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat.
The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability.
This issue affects Apache HertzBeat (incubating): before 1.7.0.
Users are recommended to upgrade to version 1.7.0, which fixes the issue.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/11/2025
The vulnerability CVE-2025-24404 represents a critical XML injection and remote code execution flaw within Apache HertzBeat, an open-source monitoring solution designed to collect and analyze system metrics. This vulnerability specifically targets the application's handling of sitemap XML responses during the monitoring process, creating a pathway for authenticated attackers to execute arbitrary code on the affected system. The flaw exists in versions prior to 1.7.0, making all earlier releases susceptible to exploitation. The vulnerability's impact is particularly concerning given that it requires only authenticated access to the system, meaning that an attacker with valid credentials can leverage this weakness to gain full control over the monitoring infrastructure.
The technical mechanism behind this vulnerability involves the improper parsing of XML content within the sitemap response handling functionality of Apache HertzBeat. When a monitored system returns a specially crafted XML response containing malicious content, the application's XML parser fails to properly validate or sanitize the input before processing it. This XML injection occurs during the parsing of HTTP sitemap responses, where the application attempts to parse XML data to extract monitoring information. The flaw allows attackers to inject malicious XML entities or payload content that gets executed within the context of the monitoring application, potentially enabling full system compromise. This type of vulnerability is classified under CWE-94, which specifically addresses "Improper Control of Generation of Code ('Code Injection')" and falls under the broader category of XML external entity injection attacks that have been prevalent in web applications.
The operational impact of this vulnerability extends beyond simple code execution, as it can lead to complete system compromise and data exfiltration. An attacker with authenticated access can manipulate monitoring targets to return malicious XML responses, which then get processed by the vulnerable HertzBeat application. This creates a persistent threat vector where the attacker can maintain access even after initial exploitation, potentially using the monitoring infrastructure as a pivot point to target other systems within the network. The attack surface is particularly wide given that HertzBeat is designed to monitor various network components, making the exploitation potentially devastating for organizations relying on this monitoring solution for critical infrastructure management.
Organizations using Apache HertzBeat versions prior to 1.7.0 should immediately implement the recommended mitigation by upgrading to version 1.7.0, which includes proper input validation and sanitization mechanisms for XML content processing. Additionally, security teams should implement network segmentation to limit access to monitoring systems and establish strict access controls for authentication credentials. The vulnerability aligns with ATT&CK technique T1059.007, which covers "Command and Scripting Interpreter: Windows Command Shell," as the RCE capability could enable attackers to execute shell commands on the compromised system. Organizations should also consider implementing web application firewalls and monitoring for unusual XML parsing activities within their monitoring infrastructure, as these patterns may indicate exploitation attempts. Regular security assessments of monitoring tools and their configurations should be conducted to identify and remediate similar vulnerabilities before they can be exploited by malicious actors.