CVE-2025-0793
Published: 29 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0793 is a critical SQL injection vulnerability in ESAFENET CDG V5, affecting an unknown functionality within the /todoDetail.jsp file. The issue arises from improper handling of the flowId argument, allowing manipulation that leads to SQL injection as classified under CWE-74 and CWE-89. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-29.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption through injected SQL queries.
Advisories from VulDB and a related GitHub report detail the vulnerability, including a proof-of-concept exploit that has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but has not responded or issued any patches or mitigations as of the latest information.
Notable context includes the public availability of the exploit via GitHub, increasing the risk of real-world exploitation against unpatched ESAFENET CDG V5 instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in public-facing web endpoint (/todoDetail.jsp) enables exploitation of public-facing applications (T1190), server software component abuse (T1505 per advisory), and data collection from databases via arbitrary queries (T1213.006).