CVE-2025-13214
Published: 11 December 2025
Description
IBM Aspera Orchestrator 4.0.0 through 4.1.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection attacks by validating and sanitizing untrusted inputs before they are used in database queries.
Remediates the specific SQL injection vulnerability in IBM Aspera Orchestrator through timely flaw identification, patching, and testing per IBM advisory.
Mitigates SQL injection by restricting input types, lengths, and patterns to block common malicious SQL payloads.
Security SummaryAI
CVE-2025-13214 is a SQL injection vulnerability (CWE-89) in IBM Aspera Orchestrator versions 4.0.0 through 4.1.0. The flaw enables a remote attacker to send specially crafted SQL statements, potentially allowing unauthorized access to the back-end database.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L). A remote attacker with low privileges (PR:L) can exploit it over the network with low attack complexity and no user interaction, achieving high confidentiality impact through data disclosure, as well as low integrity and availability impacts by viewing, adding, modifying, or deleting database information.
IBM provides details on mitigation and patches in its security advisory at https://www.ibm.com/support/pages/node/7254434. Security practitioners should consult this reference for version-specific remediation steps.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a remote-accessible application enables exploitation of public-facing application (T1190) and direct access to database for data collection (T1213.006).