EktronCMS Saxon XSLT parser remote code execution
Description
Ektron Content Management System versions 8.5, 8.7, and 9.0 contain a remote code execution vulnerability caused by improper XML parser configuration. While the default Microsoft XML parser is secure, attackers can force the application to use the Saxon XSLT parser instead. When Saxon processes a malicious XSLT document, it allows execution of arbitrary .NET code with the privileges of the application, potentially leading to full system compromise.
Remediation
Immediately upgrade Ektron CMS to a patched version by applying Security Update 3 or later. This update is required for all installations running versions 8.02 SP5 through 9.10 SP1. Follow these steps:
1. Back up your current Ektron CMS installation and database before proceeding
2. Download Security Update 3 from the official Episerver documentation portal
3. Follow the vendor's installation instructions to apply the security patch
4. Verify that the Saxon XSLT parser is disabled or properly restricted after the update
5. Test your CMS functionality to ensure the update was successful
As a temporary mitigation if immediate patching is not possible, restrict access to XSLT processing endpoints at the network level and monitor for suspicious XSLT document submissions in application logs.