CVE-2025-1844
Published: 03 March 2025
Description
A vulnerability, which was classified as critical, was found in ESAFENET CDG 5.6.3.154.205_20250114. Affected is an unknown function of the file /CDGServer3/logManagement/backupLogDetail.jsp. The manipulation of the argument logTaskId leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1844 is a critical SQL injection vulnerability (classified under CWE-74 and CWE-89) affecting ESAFENET CDG version 5.6.3.154.205_20250114. The flaw resides in an unknown function within the file /CDGServer3/logManagement/backupLogDetail.jsp, where manipulation of the logTaskId argument enables SQL injection. The vulnerability was published on 2025-03-03 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low-privilege authenticated access (PR:L) can exploit this remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation grants limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing unauthorized data access, modification, or disruption within the affected log management component.
VulDB advisories and related references, including a GitHub disclosure at https://github.com/666lail/report/blob/main/tmp/1.md, confirm the exploit has been publicly released and may be actively used. The vendor was notified early but provided no response, and no patches or official mitigations are available.
The public exploit disclosure heightens risk for unpatched ESAFENET CDG deployments, particularly in environments relying on this log management functionality.
Details
- CWE(s)