CVE-2025-13319
Published: 17 November 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-13319 is an SQL injection vulnerability (CWE-89, CWE-20) in the API feature of Digi On-Prem Manager. Published on 2025-11-17, it enables attackers to inject malicious SQL payloads through crafted input when interacting with the API. The vulnerability affects the Digi On-Prem Manager software, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Exploitation requires network access and low privileges in the form of a valid API token, as the API is not enabled by default. An attacker with such a token can remotely submit crafted inputs to the API endpoints, executing arbitrary SQL queries against the backend database. This could lead to unauthorized data access, modification, or deletion, depending on the database permissions and structure.
The vendor security advisory DOM-25-001 at https://dom.nettec.no/security-advisories/DOM-25-001/ provides further details on the issue and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables arbitrary SQL queries for unauthorized database access and collection (T1213.006) and data modification/deletion (T1565.001).