CVE-2025-8868
Published: 29 September 2025
Summary
CVE-2025-8868 is a critical-severity SQL Injection (CWE-89) vulnerability in Chef Automate. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-8868 is an SQL injection vulnerability, also tied to information exposure, that affects Progress Chef Automate versions earlier than 4.13.295 on Linux x86 platforms. The flaw resides in the compliance service and arises from improperly neutralized inputs supplied to an SQL command that incorporates a well-known token, corresponding to CWE-89 and CWE-200. It carries a CVSS 3.1 base score of 9.8.
An authenticated attacker can exploit the issue over the network to obtain access to Chef Automate restricted functionality in the compliance service, resulting in high impact to confidentiality, integrity, and availability.
The vendor reference points to the Chef Automate 4.13.295 release notes, which document the availability of a fix that resolves the vulnerability.
The associated EPSS score shows a peak of 0.2178 and a current value of 0.1985.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31570
Vulnerability details
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Chef Automate compliance service directly enables remote exploitation of a public-facing application (T1190) for data access/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation of all information inputs, including those improperly neutralized in the compliance service's SQL commands.
Mandates timely flaw remediation through patching to Chef Automate version 4.13.295 or later, eliminating the specific SQL injection vulnerability.
Provides vulnerability scanning to identify SQL injection flaws like CVE-2025-8868 in the compliance service, enabling proactive mitigation.