Cyber Resilience

CVE-2025-13774

High

Published: 13 January 2026

Published
13 January 2026
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-13774 is a high-severity SQL Injection (CWE-89) vulnerability in Progress Flowmon Anomaly Detection System. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-13774 is an SQL injection vulnerability (CWE-89) in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1. The flaw allows authenticated users to execute unintended SQL queries and commands, potentially compromising the application's database interactions. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its network accessibility, low attack complexity, and significant impacts across confidentiality, integrity, and availability.

Attackers require only low-privileged authenticated access (PR:L) to exploit the vulnerability remotely over the network (AV:N), with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants the ability to execute arbitrary SQL commands, enabling high-impact outcomes such as unauthorized data extraction or modification (C:H/I:H) and potential denial of service (A:H), all within the unchanged scope (S:U) of the affected component.

The official Progress advisory at https://community.progress.com/s/article/Flowmon-ADS-CVE-2025-13774 details mitigation steps, with upgrades to Flowmon ADS version 12.5.4 or 13.0.1 recommended to remediate the issue in affected deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a network-accessible application directly maps to exploitation of public-facing apps for arbitrary query/command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4670Same vendor: Progress
CVE-2026-6023Same vendor: Progress
CVE-2026-2699Same vendor: Progress
CVE-2026-7198Same vendor: Progress
CVE-2026-7195Same vendor: Progress
CVE-2023-34362Same vendor: Progress
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

progress
flowmon anomaly detection system
12.0.0 — 12.5.4 · 13.0.0 — 13.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection vulnerabilities like CVE-2025-13774 by requiring validation of all user inputs prior to incorporation into database queries.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, directly mitigating this SQL injection through patching to fixed Flowmon ADS versions 12.5.4 or 13.0.1.

preventdetect

RA-5 enables detection of SQL injection vulnerabilities like CVE-2025-13774 through regular scanning and subsequent risk-based remediation.

References