CVE-2025-2927
Published: 28 March 2025
Description
Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.
Security Summary
CVE-2025-2927 is a critical SQL injection vulnerability (CWE-74, CWE-89) in ESAFENET CDG version 5.6.3.154.205. The flaw resides in an unknown function within the file /parameter/getFileTypeList.jsp, where manipulation of the 'typename' argument triggers the injection.
The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks can result in limited impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), yielding a CVSS v3.1 base score of 7.3.
Advisories from VulDB and a related GitHub report indicate that the vendor was contacted early about the disclosure but provided no response or patches. The exploit has been publicly disclosed and may be actively used by attackers. Security practitioners should restrict access to the affected endpoint and monitor for anomalous requests involving the 'typename' parameter.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web endpoint (/parameter/getFileTypeList.jsp) enables unauthenticated remote exploitation of public-facing applications (T1190). Allows arbitrary SQL execution on MSSQL server, facilitating abuse of server software components for potential RCE (T1505).