CVE-2025-27378

High

Published: 22 January 2026

Published

22 January 2026

Modified

26 February 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0003 10.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27378 is a high-severity Improper Input Validation (CWE-20) vulnerability in Altium On-Prem Enterprise Server. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly mandates validation of crafted inputs to block SQL injection exploits enabled by improper handling in this CVE.

CM-6 Configuration Settings good match

prevent

CM-6 ensures the configuration setting enabling latest SQL parsing logic is established and monitored, directly mitigating the inactive configuration causing this vulnerability.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of the specific SQL injection flaw identified in this CVE through patching or configuration fixes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated SQL injection in a network-accessible application maps cleanly to exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary…

SQL queries.

Deeper analysisAI

CVE-2025-27378 is a SQL injection vulnerability in AES arising from an inactive configuration that prevents the latest SQL parsing logic from being applied. This issue, mapped to CWE-20 (Improper Input Validation) and CWE-89 (SQL Injection), allows crafted input to be improperly handled, enabling attackers to inject and execute arbitrary SQL queries. The vulnerability was published on 2026-01-22 with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

Remote attackers without privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation permits arbitrary SQL query execution, resulting in high confidentiality impact through unauthorized data access, alongside low integrity and availability impacts.

Mitigation details are available in the Altium security advisory at https://www.altium.com/platform/security-compliance/security-advisories.