CVE-2025-27378

CVSS v3.1

9.8

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions AES (affected versions not specified)

Description AES contains a SQL injection issue because of an inactive configuration that bypasses the latest SQL parsing logic. Without this configuration enabled, specially crafted input can be mishandled, potentially allowing attackers to inject and execute arbitrary SQL queries. The issue arises when the

sql.parsing

configuration is not active. Exploitation involves submitting crafted input to the system, which, due to the bypassed parsing logic, is interpreted as SQL code and executed.

Recommendations Activate the latest SQL parsing logic in the configuration to prevent crafted input from being mishandled and exploited by attackers. As a temporary workaround, consider restricting or disabling input parameters that are directly used in SQL queries until the configuration is updated.

Fix

SQL injection

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89CWE-20

Related Identifiers

CVE-2025-27378

Affected Products

Aes

CVE-2025-27378

Weakness Enumeration

Related Identifiers

Affected Products

References · 11