Overview
A high-severity SQL injection vulnerability, identified as CVE-2025-13319, has been discovered in Digi On-Prem Manager. This vulnerability allows an attacker with valid API tokens to inject arbitrary SQL commands via crafted input to the API. It’s important to note that the API feature is not enabled by default, and a valid API token is required for successful exploitation.
Technical Details
The vulnerability resides within the API feature of Digi On-Prem Manager. Specifically, the application fails to properly sanitize user-supplied input when processing API requests. This allows an attacker with a valid API token to craft malicious SQL queries that are then executed against the underlying database.
Successful exploitation of this vulnerability could grant the attacker unauthorized access to sensitive data, including user credentials, configuration details, and other confidential information stored within the Digi On-Prem Manager database. Furthermore, depending on the database permissions, the attacker might be able to modify or delete data, or even execute arbitrary operating system commands on the server hosting the database.
CVSS Analysis
The vulnerability has been assigned a CVSS score of 8.8 (High). This score reflects the potential for significant impact and relative ease of exploitation given the constraints of requiring API access.
- CVSS Score: 8.8
- Vector String: (While a complete vector string isn’t provided, it would likely involve factors like network attack vector, high attack complexity due to the API token requirement, high confidentiality impact, high integrity impact, and high availability impact)
Possible Impact
A successful SQL injection attack can lead to severe consequences, including:
- Data Breach: Unauthorized access to sensitive data stored in the Digi On-Prem Manager database.
- Data Modification or Deletion: Altering or deleting critical data, potentially disrupting operations and causing data loss.
- Privilege Escalation: Gaining higher-level privileges within the application or the underlying operating system.
- System Compromise: Executing arbitrary code on the server hosting the Digi On-Prem Manager database, potentially leading to complete system compromise.
Mitigation and Patch Steps
To mitigate this vulnerability, the following steps are recommended:
- Apply the Patch: Install the latest patch or update provided by Digi International. Refer to Digi’s official website for patch availability and instructions.
- Disable API (If Not Needed): If the API feature is not actively used, disable it to reduce the attack surface.
- Input Validation and Sanitization: Implement robust input validation and sanitization measures to prevent SQL injection attacks. Even after patching, this is a good security practice.
- Principle of Least Privilege: Ensure that database users and API tokens have only the minimum necessary privileges.
- Web Application Firewall (WAF): Consider deploying a Web Application Firewall (WAF) to detect and block malicious API requests.
- Monitor API Activity: Actively monitor API activity for suspicious patterns and potential attacks.
