CVE-2018-18471

Vulnerability

The /api/2.0/rest/aggregator/xml endpoint in Axentra firmware, shipped on NETGEAR Stora, Seagate GoFlex Home, and MEDION LifeCloud NAS devices, contains an XML External Entity (XXE) vulnerability [1]. The handler does not disable external entity processing, allowing an attacker to embed malicious XML entities in the request body. Affected firmware versions were distributed with the hardware at the time of publication; no specific version numbers are disclosed in the references, but the flaw exists in the stock firmware [1].

Exploitation

An attacker who knows the device's IP address can send a crafted HTTP POST request to /api/2.0/rest/aggregator/xml containing an XML payload with an external entity that references a local resource or an attacker-controlled URL [1]. The XXE can be chained with a Server-Side Request Forgery (SSRF) vulnerability in the same endpoint [1]. No authentication, user interaction, or special network access beyond network reachability is required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands as root [1]. This gives full control over the device, enabling data exfiltration, malware installation, and further lateral movement within the network. The device becomes fully compromised with no restriction on actions [1].

Mitigation

No official patch is mentioned in the available references [1]. Affected users are advised to replace the device, restrict network access via firewalls, and disable the vulnerable endpoint if possible. As of the publication date, no fix has been released, and the devices may be end-of-life [1].