What is CVE-2025-66516? 

CVE-2025-66516 affects tika-core.jar version 2.4.1, a library used for parsing various document formats. The vulnerability is an XML External Entity (XXE) injection flaw that occurs specifically during PDF document parsing. Attackers could potentially exploit this vulnerability to read sensitive files or cause denial of service when malicious PDFs are processed.

Does it impact Exchange Reporter Plus?    

There's no impact to Exchange Reporter Plus. Here's why:

• Exchange Reporter Plus does not parse PDFs: The application has no functionality that processes or parses PDF documents, eliminating the attack surface entirely.

• Additional layers of protection: Exchange Reporter Plus includes web application firewall (WAF) rules that detect and block XXE injection attempts in any uploaded files.
  

Customer action required    

There's no action needed by Exchange Reporter Plus customers. This vulnerability does not pose risk to Exchange Reporter Plus deployments.

Conclusion    

• CVE-2025-66516 is not applicable to Exchange Reporter Plus.

• The product does not use the PDF parsing functionality required to trigger the issue.

• Existing WAF protections further mitigate any potential risk.

We will continue to monitor and proactively assess any reported vulnerabilities to ensure the security of Exchange Reporter Plus.