# [CRIT] [GHSA / CRITICAL] CVE-2026-55471: HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory **Source:** GitHub Security Advisories **Published:** 2026-06-17 **Article:** https://github.com/advisories/GHSA-2f55-g35j-5jmf ## Threat Profile HAPI FHIR: XXE in XsltUtilities.saxonTransform via unhardened Saxon TransformerFactory ### Summary `org.hl7.fhir.utilities.XsltUtilities` exposes two parallel families of XSLT transform helpers. The `transform(...)` overloads obtain their `TransformerFactory` from the project's hardened helper `XMLUtil.newXXEProtectedTransformerFactory()` (which sets `ACCESS_EXTERNAL_DTD=""` and `ACCESS_EXTERNAL_STYLESHEET=""`). The sibling `saxonTransform(...)` overloads instead instantiate a **bare** `new ne… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-55471` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1071.001** — Application Layer Protocol: Web Protocols ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Java/JVM process initiating outbound DTD-shaped fetch — XXE OOB exfil (CVE-2026-55471) `UC_3_3` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.http_method) as method values(Web.dest) as dest from datamodel=Web.Web where Web.app IN ("java","java.exe","javaw.exe","javaw") AND (Web.url="*.dtd" OR Web.url="*.dtd?*" OR Web.http_content_type="application/xml-dtd*") by Web.src Web.user Web.app Web.url Web.http_user_agent | `drop_dm_object_name(Web)` | where NOT match(url,"(?i)(w3\.org|oasis-open\.org|docbook\.org|hl7\.org|fhir\.org)") | `security_content_ctime(firstTime)` ``` **Defender KQL:** ```kql let JvmImages = dynamic(["java.exe","javaw.exe","java","javaw"]); let KnownDtdHosts = dynamic(["w3.org","oasis-open.org","docbook.org","hl7.org","fhir.org"]); DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ (JvmImages) | where RemoteIPType == "Public" | where isnotempty(RemoteUrl) | where RemoteUrl has ".dtd" or RemoteUrl matches regex @"(?i)\.dtd(\?|$)" | where not(RemoteUrl has_any (KnownDtdHosts)) | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Vulnerable HAPI FHIR org.hl7.fhir.utilities <= 6.9.8 present on asset (CVE-2026-55471) `UC_3_4` · phase: **recon** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve="CVE-2026-55471" OR (Vulnerabilities.signature="*org.hl7.fhir.utilities*") by Vulnerabilities.dest Vulnerabilities.signature Vulnerabilities.severity | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` ``` **Defender KQL:** ```kql DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2026-55471" or (SoftwareName has "org.hl7.fhir.utilities" and SoftwareVersion matches regex @"^([0-5]\.|6\.[0-9]\.|6\.9\.[0-8])$") | project DeviceName, DeviceId, OSPlatform, SoftwareName, SoftwareVersion, CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate | order by DeviceName asc ``` ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-55471: HAPI FHIR: XXE in XsltUtilities.saxonTransform `UC_3_2` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-55471: HAPI FHIR: XXE in XsltUtilities.saxonTransform ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/var/folders/.../fhir-secret-467000002121832365.txt*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-55471: HAPI FHIR: XXE in XsltUtilities.saxonTransform // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/var/folders/.../fhir-secret-467000002121832365.txt")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-55471` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.