CVE-2025-56385

Critical

Published: 12 November 2025

Published

12 November 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to…

authentication bypass, data leakage, or full system compromise of backend database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of user-supplied input to the TXTUSERID parameter to prevent SQL injection in the xmHarmony.asp endpoint.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in WellSky Harmony version 4.1.0.2.83.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures the organization reviews and applies security advisories and vendor updates for CVE-2025-56385 to remediate the vulnerability.

Security SummaryAI

A SQL injection vulnerability, tracked as CVE-2025-56385, affects the login functionality in WellSky Harmony version 4.1.0.2.83. The issue resides in the 'xmHarmony.asp' endpoint, where user-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. This flaw, classified under CWE-89, was published on 2025-11-12 and carries a CVSS v3.1 base score of 9.8.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can enable authentication bypass, data leakage from the backend database, or full compromise of database contents, potentially leading to high impacts on confidentiality, integrity, and availability.

Advisories and additional details are available from vendor sites at http://harmony.com and http://wellsky.com, as well as a security blog analysis at https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection.

Details

CWE(s): CWE-89

Affected Products

wellsky

harmony

4.1.0.2.83

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in public-facing web application login endpoint (xmHarmony.asp) enables remote exploitation of public-facing application (T1190) for authentication bypass and facilitates data collection from backend databases via arbitrary SQL queries (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://harmony.com
Broken Link · cve@mitre.org
http://wellsky.com
Product · cve@mitre.org
https://machevalia.blog/blog/cve-2025-56385-wellsky-harmony-sql-injection
Third Party Advisory · cve@mitre.org