CVE-2025-21095

CVE-2025-21095 is an XML External Entity (XXE) injection vulnerability (CWE-611) affecting the Keysight Ixia Vision Network Packet Broker product family. The issue resides in improper restriction of XML external entity references, enabling an attacker to force the device to process a malicious XML input and exfiltrate local files. This flaw is distinct from a related path traversal bug (CVE-2025-24494) but both are addressed in successive updates.

Exploitation requires a privileged account—specifically a device administrator—and is not achievable by a regular user. The attacker must be authenticated with high privileges and be able to deliver a crafted XML payload to the vulnerable endpoint. The CVSS v3.1 vector string (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) reflects that the attack is network-based, requires no user interaction, and targets confidentiality only (high impact), with no impact on integrity or availability.

The impact is a high risk of arbitrary file download from the device, which could expose sensitive configuration data, cryptographic keys, or credentials. When combined with other weaknesses—such as violation of the least privilege principle—the XXE injection may facilitate broader compromise of the network packet broker device [1].

Keysight has released remediation in version 6.8.0, dated March 1, 2025. Users are advised to upgrade to this version. The CISA advisory (ICSA-25-063-02) also notes that the Vision product family in version 6.3.1 is affected; no workaround is provided, making the patch the only mitigation. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].