CVE-2025-67280
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tim_solutions_gmbh | tim_bpm_suite | 9.1.2 |
| tim_solutions_gmbh | tim_bpm_suite | to 9.1.2 (exc) |
| tim_solutions_gmbh | tim_flow | 9.1.2 |
| tim_solutions_gmbh | tim_flow | to 9.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-564 | Using Hibernate to execute a dynamic SQL statement built with user-controlled input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67280 is a Hibernate Query Language (HQL) injection vulnerability in TIM BPM Suite and TIM FLOW versions prior to 9.1.2. It allows a low-privileged user to exploit the system by injecting malicious queries, enabling them to extract passwords of other users and access sensitive data belonging to other users. [2]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information, including other users' passwords and private data. A low-privileged user could leverage this flaw to compromise user accounts and potentially escalate their access within the system, leading to data breaches and loss of confidentiality. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating TIM BPM Suite / TIM FLOW to version 9.1.2 or later where the vulnerabilities have been addressed. Additionally, it is recommended to follow OWASP guidelines such as the SQL Injection Prevention Cheat Sheet, Authorization Cheat Sheet, and Password Storage Cheat Sheet to enhance security and prevent exploitation of injection vulnerabilities. [2]