CVE-2025-27617

High

Published: 11 March 2025

Published

11 March 2025

Modified

04 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0054 67.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27617 is a high-severity SQL Injection (CWE-89) vulnerability in Pimcore Pimcore. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of crafted filter strings in Pimcore's RelationFilterConditionParser and Multiselect classes.

SI-2 Flaw Remediation good match

prevent

Mitigates the vulnerability by mandating timely patching of Pimcore to version 11.5.4, which fixes the filter parsing logic.

SI-4 System Monitoring partial match

detect

Enables detection of SQL injection attempts by monitoring for unauthorized or anomalous SQL queries executed via malicious filter strings.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in Pimcore web app enables T1190 exploitation of public-facing application; arbitrary SQL directly facilitates T1213.006 database data exfiltration and T1565.001 stored data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Pimcore is an open source data and experience management platform. Prior to version 11.5.4, authenticated users can craft a filter string used to cause a SQL injection. Version 11.5.4 fixes the issue.

Deeper analysisAI

CVE-2025-27617 is a SQL injection vulnerability (CWE-89) affecting Pimcore, an open source data and experience management platform. The issue exists prior to version 11.5.4 in components related to data object class definitions, specifically the RelationFilterConditionParser and Multiselect classes, where authenticated users can craft a malicious filter string to inject SQL payloads. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with low-privilege authenticated access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction required (UI:N). By submitting a specially crafted filter string, they can execute arbitrary SQL queries, potentially leading to high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service within the application's database.

The Pimcore security advisory (GHSA-qjpx-5m2p-5pgh) and associated fix in commit 19a8520895484e68fd254773e32476565d91deea confirm that upgrading to version 11.5.4 resolves the issue by addressing the filter parsing logic in the affected files. Security practitioners should prioritize patching Pimcore instances to this version and review access controls for authenticated users interacting with data object filters.