CVE-2023-45727

What is North Grid Proself?

Proself is a Japanese enterprise file-sharing and collaboration platform developed by North Grid Corporation. It offers Enterprise/Standard editions for internal file sharing, a Gateway edition for external transfer, and a Mail Sanitize edition for email attachment filtering. Proself is widely used in Japanese government agencies, municipalities, and enterprises that handle sensitive documents — making it a strategic target for state-sponsored espionage actors seeking access to Japanese organizational networks.

Overview

CVE-2023-45727 is an XML External Entity (XXE) injection vulnerability in Proself that allows an unauthenticated remote attacker to read arbitrary files from the server and conduct server-side request forgery (SSRF). The vulnerability was disclosed by North Grid in October 2023 but was added to the CISA KEV catalog in December 2024, reflecting active exploitation observed well after initial disclosure — consistent with targeted APT campaigns against Japanese government and corporate targets.

Affected Versions

Technical Details

The vulnerability is an improper restriction of XML External Entity references (CWE-611) in Proself's XML processing functionality. When the application processes user-supplied XML data, it fails to disable external entity resolution. An attacker can craft an XML document containing an external entity declaration that points to a local file path or internal network resource:

• File read: By referencing local file paths (e.g., file:///etc/passwd or Windows configuration files), the attacker can exfiltrate sensitive server-side data including credentials, configuration files, and private keys.
• SSRF: By referencing internal URLs, the attacker can pivot to backend services not directly accessible from the internet, potentially reaching internal APIs, metadata services, or other internal hosts.

The attack requires no authentication and no user interaction, and is accessible via the network — giving it a CVSS profile of network-accessible, low complexity, no privileges required. The confidentiality impact is high because arbitrary file read can expose credentials and sensitive configuration; integrity and availability are not directly impacted.

Discovery

The vulnerability was identified and reported to North Grid in 2023, with the vendor publishing a security advisory in October 2023. Active exploitation by a China-linked threat actor (associated with APT10 activity patterns) targeting Japanese government and enterprise organizations led to CISA's KEV catalog addition in December 2024.

Exploitation Context

Exploitation of CVE-2023-45727 was attributed to a China-linked APT group in targeted attacks against Japanese organizations, including government agencies and defense-related companies. The file-read capability was used to harvest credentials and configuration data to support deeper intrusion. The 14-month gap between initial disclosure (October 2023) and KEV addition (December 2024) indicates a sustained, targeted exploitation campaign rather than opportunistic scanning. Japanese organizations using Proself for internal document sharing were the primary victims.

Remediation

1. Upgrade Proself immediately to ver5.63 (Enterprise/Standard), ver1.66 (Gateway), or ver1.08 (Mail Sanitize) or later — these releases disable external entity resolution.
2. If patching is delayed, consider placing a WAF in front of the Proself endpoint to block XXE payloads (look for <!ENTITY or SYSTEM keywords in incoming XML bodies).
3. Audit server logs for unusual XML submissions or outbound connections from the Proself server to internal hosts, which could indicate SSRF exploitation.
4. Rotate credentials stored in configuration files accessible to the Proself server process — especially database passwords, LDAP credentials, and API keys.
5. Restrict Proself's network egress — the server should not be able to make arbitrary outbound connections; this limits SSRF impact.
6. Check for signs of lateral movement if you are a Japanese government or defense-adjacent organization — the threat actor exploiting this CVE is known for deep network persistence.