CVE-2025-70420
Published: 21 April 2026
Summary
CVE-2025-70420 is a uncategorised-severity an unspecified weakness vulnerability. Its CVSS base score is N/A.
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-70420 is a SQL injection vulnerability in Genesys Latitude version 25.1.0.420. It arises from unsanitized user-supplied input being directly concatenated into SQL statements, enabling an authenticated attacker to execute arbitrary SQL queries against the backend database. The issue is classified under CWE-89 and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity and no user interaction required. Successful exploitation allows arbitrary SQL query execution, potentially leading to data exfiltration, modification, or deletion in the backend database, as well as denial-of-service conditions.
Mitigation details are available in advisories from the vendor at http://genesys.com and independent research at https://okunsec.com/research/cve-2025-70420. The vulnerability was published on 2026-04-21T21:16:22.900.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-209547
Vulnerability details
Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection (CWE-89) in a network-accessible application (AV:N) directly enables exploitation via T1190, allowing arbitrary SQL execution for data impact or DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of unsanitized user-supplied inputs before concatenation into SQL statements.
Ensures timely identification, prioritization, and remediation of flaws like this SQL injection vulnerability through patching.
Facilitates discovery of vulnerabilities such as CVE-2025-70420 via scanning and drives their remediation to prevent exploitation.
References
- No references listed