CVE-2025-0793
Published: 29 January 2025
Summary
CVE-2025-0793 is a medium-severity Injection (CWE-74) vulnerability in Esafenet Cdg. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation of untrusted inputs such as the flowId parameter in /todoDetail.jsp.
Mandates timely remediation of the known SQL injection flaw in ESAFENET CDG V5, including patching or workarounds despite vendor non-response.
Requires vulnerability scanning that would identify the publicly disclosed SQL injection vulnerability, enabling proactive remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web endpoint (/todoDetail.jsp) enables exploitation of public-facing applications (T1190), server software component abuse (T1505 per advisory), and data collection from databases via arbitrary queries (T1213.006).
NVD Description
A vulnerability has been found in ESAFENET CDG V5 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /todoDetail.jsp. The manipulation of the argument flowId leads to sql injection. The attack can be launched…
more
remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-0793 is a critical SQL injection vulnerability in ESAFENET CDG V5, affecting an unknown functionality within the /todoDetail.jsp file. The issue arises from improper handling of the flowId argument, allowing manipulation that leads to SQL injection as classified under CWE-74 and CWE-89. The vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-29.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring no user interaction and low attack complexity. Successful exploitation enables limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption through injected SQL queries.
Advisories from VulDB and a related GitHub report detail the vulnerability, including a proof-of-concept exploit that has been publicly disclosed and may be actively used. The vendor was contacted early regarding the issue but has not responded or issued any patches or mitigations as of the latest information.
Notable context includes the public availability of the exploit via GitHub, increasing the risk of real-world exploitation against unpatched ESAFENET CDG V5 instances.
Details
- CWE(s)