CVE-2025-53122
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-26

Last updated on: 2025-06-30

Assigner: The OpenNMS Group

Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection.Β  Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-26
Last Modified
2025-06-30
Generated
2026-05-07
AI Q&A
2025-06-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53122
EUVD
EUVD-2025-19232
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is an SQL Injection issue in OpenNMS Horizon and Meridian applications. It occurs because special elements used in SQL commands are not properly neutralized, allowing attackers to manipulate SQL queries. Specifically, the vulnerability involves the 'orderBy' clause where columns used for ordering query results cannot be safely passed as parameters in prepared statements. This allows potentially malicious input to influence the SQL query, leading to unauthorized data access or manipulation. The fix restricts the allowed columns for ordering to only legitimate ones belonging to the 'node' entity and a calculated 'severity' column, preventing arbitrary or malicious column names from being used. [1]


How can this vulnerability impact me? :

This SQL Injection vulnerability can allow an attacker with limited privileges to manipulate SQL queries within the OpenNMS Horizon or Meridian applications. This could lead to unauthorized access to sensitive data, data corruption, or other unintended database operations. Since these applications are intended for private network use and not direct Internet exposure, the risk is somewhat mitigated by network controls, but exploitation could still impact the confidentiality and integrity of organizational data. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this SQL Injection vulnerability in OpenNMS Horizon and Meridian applications, users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Additionally, ensure that these applications are installed within a private network and are not directly accessible from the Internet. The fix includes restricting the allowed columns in the 'orderBy' clause to prevent injection, as implemented in the foundation-2024 branch. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart