SOCET GXP Vulnerabilities Disclosure
The following vulnerabilities have been fixed in the below releases of SOCET GXP® software from BAE Systems, Inc.
- CVE-2025-54967
- SOCET GXP does not prevent XML External Entities (XXE) in certain XML files. An attacker who can trick a SOCET GXP user into opening a specially-crafted, malicious XML file (e.g., a saved workspace) may be able to cause SOCET GXP to make HTTP or other network requests on the user’s behalf without the user’s awareness, potentially leaking sensitive information in the process.
- Users are encouraged to update to SOCET GXP v 4.6.0.3. No other technical mitigations are currently available. Exploitation of this vulnerability relies on a user opening a specially crafted, malicious XML file. As always, users should only open files from trusted sources.
- SOCET GXP v4.6.0.2 and earlier.
- CVE-2025-54965
- The SOCET GXP Job Status Service does not properly sanitize the job ID parameter before using it in the job status page. An attacker who can social engineer a user into clicking a malicious link may be able to execute arbitrary JavaScript™ in the victim's browser.
- Users are encouraged to update to SOCET GXP v 4.6.0.3, which removes the HTTP-based job status service web page entirely, or v4.6.0.2 which disables the HTTP-based job status service by default. If upgrading is not possible, we encourage users to disable the Job Status Service HTTP endpoint manually by changing
<HTTP_SERVER enabled=”true”>to<HTTP_SERVER enabled=”false”>in<SOCET GXP Installation Directory>/Config/GXPJobService/js-config.xml, then restart SOCET GXP. Leave that setting in place until SOCET GXP can be updated. Exploitation of this vulnerability relies on successful social engineering; proper caution when clicking links from untrusted sources will reduce the probability of this vulnerability being exploited. - SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54964
- The SOCET GXP Job Service defaults to permitting connections from all IP addresses. If the job service is not reconfigured at install-time, and if it is permitted through the local Windows® Firewall (or if the firewall is disabled), this may allow a remote attacker with the ability to send network traffic to the SOCET GXP Job Service to execute arbitrary commands with the privileges of the SOCET GXP Job Service. In Basic mode, the SOCET GXP Job Service runs only when SOCET GXP is running, with the permissions of the user that launched SOCET GXP.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network access for the GXP Job Service by default. Users who are unable to immediately update can restrict network access to the GXP Job Service by removing allowed IPs from the Job Service configuration window or by blocking access to the job service ports in the Windows firewall. Please contact your Customer Technical Support representative if you need assistance implementing these changes.
- SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54963
- The SOCET GXP Job Service permits users to specify the location of the log file for a job and does not sanitize that input. An attacker may submit a job with a log file location of a sensitive file and use the log monitoring feature to read that file’s contents. Access to the log file is limited by the permissions of the user that the Job Service is running as. In Basic mode, the SOCET GXP job service runs with the permissions of the currently logged-on user.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network access for the GXP Job Service by default. Users who are unable to immediately update can restrict network access to the GXP Job Service by removing allowed IPs from the Job Service configuration window and by blocking access to the job service ports in the Windows firewall. Please contact your Customer Technical Support representative if you need assistance implementing these changes.
- SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54968
- The Job service does not require authentication prior to accepting and processing jobs. If the service running in basic mode is improperly configured to accept non-local traffic, an unauthenticated attacker with the ability to interact with the GXP Job Service port may be able to submit jobs to the Job Service for processing.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network access for the GXP Job Service by default. Users who are unable to immediately update can restrict network access to the GXP Job Service by removing allowed IPs from the Job Service configuration window and by blocking access to the job service ports in the Windows firewall. Please contact your Customer Technical Support representative if you need assistance implementing these changes.
- SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54970
- The GXP Job Status Service does not require authentication prior to providing job status or performing other actions supported by the API.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network access for the GXP Job Service by default. Users who are unable to immediately update can restrict network access to the GXP Job Service by removing allowed IPs from the Job Service configuration window or by blocking access to the job service ports in the Windows firewall. Please contact your Customer Technical Support representative if you need assistance implementing these changes.
- SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54969
- The GXP Job Status Service does not implement any form of session mechanism, nor any user-only secrets. As such, an attacker has all the information required to social engineer a user into submitting a valid request to the server. If the social engineering is successful, the request will originate from localhost, bypassing network restrictions. Furthermore, some of the API endpoints that are vulnerable to CSRF change the state of the server, allowing a successful attacker to purge job information, abort jobs, or even restart the Job Status Service.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network accessibility for this service, or 4.6.0.3, which removes this service completely. There is no immediate technical mitigation for this vulnerability for users who are unable to update. Standard user best practices for validating links prior to clicking them apply, but that does not constitute a reliable mitigation.
- SOCET GXP v4.6.0.1 and earlier.
- CVE-2025-54966
- The GXP Job Status Service, if configured to accept non-local traffic, may allow an attacker to leak potentially sensitive information from the system. This includes configuration information, log files, and service version information. An adversary may use this information to inform other attacks.
- Users are encouraged to update to SOCET GXP v 4.6.0.2, which disables network accessibility for this service, or 4.6.0.3, which removes this service completely. If upgrading is not possible, we encourage users to disable the Job Status Service HTTP endpoint manually by changing
<HTTP_SERVER enabled=”true”>to<HTTP_SERVER enabled=”false”>in<SOCET GXP Installation Directory>/Config/GXPJobService/js-config.xml, then restart SOCET GXP. Leave that setting in place until SOCET GXP can be updated. In Basic mode, this configuration will limit requests only the currently logged-on user. Since the job status service runs with the permission of the logged-on user, any information that may be disclosed via this service is already information the user can read directly using easier tools, such as Notepad. - SOCET GXP v4.6.0.1 and earlier.