TRUMPF: Multiple products affected by log4net vulnerability

VDE-2024-004

Last update

22.05.2025 15:03

Published at

22.04.2025 12:00

Vendor(s)

Trumpf SE + Co. KG

External ID

VDE-2024-004

CSAF Document

Download

Summary

The versions of TRUMPF products stated below are including a version of log4net that's prone to XXE
(External XML Entities) attacks under certain circumstances. This means, the log4net code can be tricked
into loading externally hosted, potentially malicious XML code and possibly executing it. This vulnerability allows for the execution of remote XML code, possibly resulting in unauthorized (remote) access to, change of data or disruption of the whole system running the vulnerable application.

Impact

This vulnerability allows for the execution of remote XML code or interpretation of XML config files, possibly resulting in unauthorized (remote) access to, change of data or disruption of the whole system running the vulnerable application.

Affected Product(s)

Model no.	Product name	Affected versions
	Oseon (Storage) <=3.0.24	Oseon (Storage) <=3.0.24
	TruTops Boost <=16.0.24	TruTops Boost <=16.0.24
	TruTops Cell <2.54.24	TruTops Cell <2.54.24
	TruTops Classic <=12.1	TruTops Classic <=12.1
	TruTops Fab (Storage) <=22.7	TruTops Fab (Storage) <=22.7
	TruTops Mark <=6.2	TruTops Mark <=6.2

Vulnerabilities

Expand / Collapse all

Published

22.09.2025 14:57

Severity

9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weakness

Improper Restriction of XML External Entity Reference (CWE-611)

References

cve.org | nvd.nist.gov

Remediation

New versions are available for the affected products. Install new versions as provided by TRUMPF SE + Co. KG. To aquire these versions please contact your TRUMPF Service with the PR number 500879.

Revision History

Version	Date	Summary
1.0.0	22.04.2025 12:00	Initial version
1.0.1	22.05.2025 15:03	Fix: added distribution, quotation mark