CISA Known Exploited Vulnerability (KEV)
Advantive VeraCore SQL Injection Vulnerability
March 10, 2025
March 31, 2025
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.
References
Weakness Enumeration
| CWE-ID | CWE Name |
|---|---|
|
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |