CVE-2025-67280
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: MITRE

Description
In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67280
EUVD
EUVD-2026-1727
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
tim_solutions_gmbh tim_bpm_suite 9.1.2
tim_solutions_gmbh tim_bpm_suite to 9.1.2 (exc)
tim_solutions_gmbh tim_flow 9.1.2
tim_solutions_gmbh tim_flow to 9.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-564 Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67280 is a Hibernate Query Language (HQL) injection vulnerability in TIM BPM Suite and TIM FLOW versions prior to 9.1.2. It allows a low-privileged user to exploit the system by injecting malicious queries, enabling them to extract passwords of other users and access sensitive data belonging to other users. [2]

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information, including other users' passwords and private data. A low-privileged user could leverage this flaw to compromise user accounts and potentially escalate their access within the system, leading to data breaches and loss of confidentiality. [2]

Mitigation Strategies

Immediate mitigation steps include updating TIM BPM Suite / TIM FLOW to version 9.1.2 or later where the vulnerabilities have been addressed. Additionally, it is recommended to follow OWASP guidelines such as the SQL Injection Prevention Cheat Sheet, Authorization Cheat Sheet, and Password Storage Cheat Sheet to enhance security and prevent exploitation of injection vulnerabilities. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart