Cyber Resilience

CVE-2025-56424

HighPublic PoCDDoS

Published: 08 January 2026

Published
08 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0027 51.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56424 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Insiders-Technologies E-Invoice Pro. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-56424 is a denial-of-service vulnerability in Insiders Technologies GmbH e-invoice pro versions prior to release 1 Service Pack 2. The flaw, tied to CWE-400 (Uncontrolled Resource Consumption), enables a remote attacker to disrupt service availability by sending a crafted script. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), reflecting its high severity from network-based access with low attack complexity and no authentication or user interaction needed.

A remote, unauthenticated attacker can exploit this vulnerability by transmitting a specially crafted script to the affected e-invoice pro instance. Exploitation leads to a high-impact denial of service, potentially causing the service to become unavailable without affecting confidentiality or integrity.

Advisories recommend upgrading to e-invoice pro release 1 Service Pack 2 or later to mitigate the issue. Further details appear in the vendor page at https://insiders-technologies.com/en/e-invoice/ and the analysis at https://mind-bytes.de/xml-external-entity-xxe-injection-in-e-invoice-pro-cve-2025-56424/.

EU & UK References

Vulnerability details

An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability is a remotely exploitable DoS in a public-facing e-invoice application via crafted input (CWE-400), directly enabling T1190 (Exploit Public-Facing Application) and T1499.004 (Endpoint DoS via Application Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39304Shared CWE-400
CVE-2025-27669Shared CWE-400
CVE-2026-21637Shared CWE-400
CVE-2026-27888Shared CWE-400
CVE-2025-59472Shared CWE-400
CVE-2025-40944Shared CWE-400
CVE-2025-24269Shared CWE-400
CVE-2026-46829Shared CWE-400
CVE-2026-25819Shared CWE-400
CVE-2025-59464Shared CWE-400

Affected Assets

insiders-technologies
e-invoice pro
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching or upgrading to e-invoice pro release 1 Service Pack 2 as recommended by the vendor.

prevent

Provides comprehensive protection against denial-of-service attacks, including the resource consumption triggered by remote crafted scripts in this CVE.

prevent

Prevents exploitation by validating and sanitizing crafted script inputs to block uncontrolled resource consumption (CWE-400).

References