CVE-2025-28076

Name of the Vulnerable Software and Affected Versions EasyVirt DCScope versions 8.6.4 and earlier EasyVirt CO2Scope versions 1.3.4 and earlier

Description The issue allows remote authenticated attackers to execute arbitrary SQL commands. This can be achieved via various parameters to specific API endpoints, such as the timeago, user, filter, target, p1 through p20 parameters to "/api/management/updateihmsettings", or the ID, NAME, CPUTHREADNB, RAMCAP, or DISKCAP parameters to "/api/capaplan/savetemplates".

Recommendations For EasyVirt DCScope versions 8.6.4 and earlier, consider disabling access to the "/api/management/updateihmsettings" and "/api/capaplan/savetemplates" API endpoints until a patch is available. For EasyVirt CO2Scope versions 1.3.4 and earlier, restrict the use of the vulnerable parameters timeago, user, filter, target, p1 through p20, ID, NAME, CPUTHREADNB, RAMCAP, and DISKCAP in the affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.