CVE-2025-54992 is a medium-severity vulnerability identified in the open-source OpenFlow controller OpenKilda, developed by Telstra. The vulnerability is classified under CWE-611, which pertains to Improper Restriction of XML External Entity (XXE) Reference. Specifically, versions of OpenKilda prior to 1.164.0 are affected. The vulnerability allows unauthenticated attackers to exploit an XML external entity injection flaw in the OpenKilda UI component. When combined with another vulnerability referenced as GHSL-2025-024, this XXE flaw enables attackers to exfiltrate sensitive information from the system hosting the OpenKilda UI. The vulnerability does not require any authentication or user interaction, and it can be exploited remotely over the network. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is limited to confidentiality (VC:L), with no impact on integrity or availability. The vulnerability has been patched in OpenKilda version 1.164.0. No known exploits are currently reported in the wild. OpenKilda is an OpenFlow controller used in software-defined networking (SDN) environments to manage network flows dynamically, making it a critical component in network infrastructure management.

For European organizations, the exploitation of CVE-2025-54992 could lead to unauthorized disclosure of sensitive network configuration data or other confidential information managed by the OpenKilda controller. Since OpenKilda is used to orchestrate network flows in SDN environments, leakage of such information could facilitate further targeted attacks, including network reconnaissance, lateral movement, or disruption of network operations. Organizations relying on OpenKilda for critical infrastructure, telecom networks, or large-scale data centers may face increased risk of data breaches or espionage. The fact that the vulnerability requires no authentication and no user interaction increases the risk profile, as attackers can remotely exploit the flaw without insider access. Although the vulnerability does not directly affect integrity or availability, the confidentiality breach alone can have significant operational and compliance implications, especially under stringent European data protection regulations such as GDPR. The absence of known exploits in the wild suggests a window of opportunity for organizations to patch before active exploitation occurs.

European organizations using OpenKilda should immediately upgrade to version 1.164.0 or later, where this vulnerability has been patched. In addition to patching, organizations should implement network segmentation to isolate the OpenKilda UI from untrusted networks, limiting exposure to potential attackers. Employing Web Application Firewalls (WAFs) with rules to detect and block XXE payloads can provide an additional layer of defense. Regularly auditing and monitoring logs for unusual XML parsing activity or unexpected outbound connections from the OpenKilda host can help detect exploitation attempts early. Organizations should also review and harden XML parser configurations to disable external entity processing where possible. Finally, incorporating vulnerability scanning and penetration testing focused on SDN controllers can help identify similar weaknesses proactively.