SOAP isn't dead; it's quietly running your most critical billing, licensing and document processing systems. In this session, Adobe Senior Offensive Security Researcher Kamalpreet Khurana walks through the zero-day XXE vulnerability he discovered in 2025 in a widely used product, revealing how SOAP's XML parsing layer continues to expose enterprises to attacks that developers have stopped anticipating and security teams have stopped testing for.

In this session, you will learn:

• How WSDL files inadvertently hand attackers a complete road map of a SOAP service's operations, parameters, data types and endpoint URLs;
• How a five-stage XXE exploitation methodology - from direct file reads and out-of-band callbacks to nested entities and double-encoded parameter entities - was used to extract sensitive data from a critical product;
• Practical defense-in-depth mitigations for teams that cannot migrate to REST, including disabling external entities, blocking external DTD loading, sandboxed parsing and network isolation.