Cyber Resilience

CVE-2025-8868

Critical

Published: 29 September 2025

Published
29 September 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1985 95.6th percentile
Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8868 is a critical-severity SQL Injection (CWE-89) vulnerability in Chef Automate. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8868 is an SQL injection vulnerability, also tied to information exposure, that affects Progress Chef Automate versions earlier than 4.13.295 on Linux x86 platforms. The flaw resides in the compliance service and arises from improperly neutralized inputs supplied to an SQL command that incorporates a well-known token, corresponding to CWE-89 and CWE-200. It carries a CVSS 3.1 base score of 9.8.

An authenticated attacker can exploit the issue over the network to obtain access to Chef Automate restricted functionality in the compliance service, resulting in high impact to confidentiality, integrity, and availability.

The vendor reference points to the Chef Automate 4.13.295 release notes, which document the availability of a fix that resolves the vulnerability.

The associated EPSS score shows a peak of 0.2178 and a current value of 0.1985.

EU & UK References

Vulnerability details

In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in network-accessible Chef Automate compliance service directly enables remote exploitation of a public-facing application (T1190) for data access/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-43186Same product: Linux Linux Kernel
CVE-2026-43037Same product: Linux Linux Kernel
CVE-2026-31718Same product: Linux Linux Kernel
CVE-2026-23427Same product: Linux Linux Kernel
CVE-2026-31668Same product: Linux Linux Kernel
CVE-2026-31414Same product: Linux Linux Kernel
CVE-2026-43055Same product: Linux Linux Kernel
CVE-2026-31612Same product: Linux Linux Kernel
CVE-2026-31649Same product: Linux Linux Kernel
CVE-2026-23455Same product: Linux Linux Kernel

Affected Assets

chef
automate
≤ 4.13.295 · 20180319150121 — 20220329091442

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection by requiring validation of all information inputs, including those improperly neutralized in the compliance service's SQL commands.

prevent

Mandates timely flaw remediation through patching to Chef Automate version 4.13.295 or later, eliminating the specific SQL injection vulnerability.

detect

Provides vulnerability scanning to identify SQL injection flaws like CVE-2025-8868 in the compliance service, enabling proactive mitigation.

References