Full Report
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Keysight Equipment: Ixia Vision Product Family Vulnerabilities: Path Traversal, Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Keysight reports the following versions of Vision Network Packet Broker product family are affected: Ixia Vision Product Family: Versions 6.3.1 3.2 VULNERABILITY OVERVIEW 3.2.1 Improper Limitation of a Pathname to a Restricted Directory CWE-22 Path traversal may allow remote code execution using privileged account (requires device admin account, cannot be performed by a regular user). In combination with the 'Upload' functionality this could be used to execute an arbitrary script or possibly an uploaded binary. Remediation in Version 6.7.0, release date: 20-Oct-24. CVE-2025-24494 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2025-24494. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). 3.2.2 Improper Restriction of XML External Entity Reference CWE-611 External XML entity injection allows arbitrary download of files. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25. CVE-2025-24521 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-24521 . A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.3 Improper Limitation of a Pathname to a Restricted Directory CWE-22 Path traversal may lead to arbitrary file download. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25. CVE-2025-21095 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-21095. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.4 Improper Limitation of a Pathname to a Restricted Directory CWE-22 Path traversal may lead to arbitrary file deletion. The score without least privilege principle violation is as calculated below. In combination with other issues it may facilitate further compromise of the device. Remediation in Version 6.8.0, release date: 01-Mar-25. CVE-2025-23416 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). A CVSS v4 score has also been calculated for CVE-2025-23416. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Information Technology COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER NATO Cyber Security Centre (NCSC) reported these vulnerabilities to Keysight. 4. MITIGATIONS Keysight recommends that all users upgrade to the latest version of software as soon as possible. Older versions of this software may have this vulnerability; Keysight recommends that users discontinue the use of older software versions. For more information about the Ixia Vision Product Family, please visit Ixia product support Further questions can be answered by contacting Keysight. CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. Locate control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY March 4, 2025: Initial Publication
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Keysight Ixia Vision Product Family (Path Traversal, XXE)
## CVE Details
- CVE ID: CVE-2025-24494, CVE-2025-24521, CVE-2025-21095, CVE-2025-23416
- CVSS Score: 8.6 (High) - Based on CVSS v4 for CVE-2025-24494. Other scores vary (6.9 and 7.2 in CVSS v3.1/v4).
- CWE: Path Traversal, XML External Entity Reference (Inferred from description)
## Affected Systems
- Products: Keysight Ixia Vision Product Family (Vision Network Packet Broker product family)
- Versions: Version 6.3.1
- Configurations: Requires a device admin account for exploitation of CVE-2025-24494 related RCE.
## Vulnerability Description
The advisory details four related vulnerabilities impacting the Ixia Vision Product Family:
1. **CVE-2025-24494 (Path Traversal leading to RCE):** Path traversal, when combined with the 'Upload' functionality and requiring a privileged admin account, could allow an attacker to execute an arbitrary script or binary. (CVSS v4: 8.6)
2. **CVE-2025-24521 (XXE):** External XML entity injection allows an arbitrary file download.
3. **CVE-2025-21095 (Path Traversal):** Path traversal may lead to an arbitrary file download.
4. **CVE-2025-23416 (Path Traversal):** Path traversal may lead to arbitrary file deletion.
Overall, successful exploitation could crash the device, and a buffer overflow condition might allow Remote Code Execution (RCE).
## Exploitation
- Status: No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
- Complexity: Low (For network attack vector, often associated with the Path Traversal components). CVE-2025-24494 specifically requires **High Privilege (PR:H)**.
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (VC:H provided in multiple vectors, potentially allowing file read via Path Traversal/XXE)
- Integrity: High (VI:H provided for CVE-2025-24494, related to RCE/script execution)
- Availability: High (Potential for device crash/device access disruption)
## Remediation
### Patches
- **CVE-2025-24494:** Remediation available in **Version 6.7.0** (Release Date: 2024-Oct-20).
- **CVE-2025-24521, CVE-2025-21095, CVE-2025-23416:** Remediation available in **Version 6.8.0** (Release Date: 2025-Mar-01).
*Vendor strongly recommends upgrading to the latest version of software as soon as possible.*
### Workarounds
- Discontinue the use of older software versions (prior to the patched versions).
- Implement network segmentation: Isolate system networks and remote devices behind firewalls and isolate them from business networks.
- Use secure methods like updated VPNs for required remote access.
## Detection
- Detection methods are not explicitly detailed in the summary, but general defensive measures are recommended: monitor for unusual network traffic or file access attempts that might indicate path traversal or unauthorized upload activity.
## References
- Vendor Advisory: keysight dot com/support-overview/product-support/downloads-updates
- Keysight Product Support: support dot ixiacom dot com
- Contact Keysight: keysight dot com/us/en/contact dot html
- CISA ICS Webpage: cisa dot gov/ics
- CISA Document: us-cert dot cisa dot gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C dot pdf
- CISA Document: cisa dot gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems dot pdf
- CISA TIP: cisa dot gov/uscert/ics/tips/ICS-TIP-12-146-01B