CVE-2025-67805
Unauthorized Access to Sage DPW Database Monitor Exposes Sensitive Data
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sagedpw | sage_dpw | 2025_06_004 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Sage DPW version 2025_06_004 when it is configured in a non-default way. It allows unauthenticated users to access diagnostic endpoints within the Database Monitor feature. These endpoints expose sensitive information such as hashes and table names. The feature is disabled by default in all installations and is not available in Sage DPW Cloud. Additionally, it was forcibly disabled again in version 2025_06_003.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive information like hashes and database table names to unauthenticated users. This could potentially aid attackers in further exploiting the system or gaining unauthorized access to sensitive data. However, the impact is limited by the fact that the vulnerable feature is disabled by default and not present in the cloud version.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Database Monitor feature is not enabled unless absolutely necessary, as it is disabled by default in all installations.
If you are using version 2025_06_003 or later, the vulnerable feature is forcibly disabled, so upgrading to this version or later is recommended.
Avoid using non-default configurations that enable unauthenticated access to diagnostic endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated access to diagnostic endpoints exposing sensitive information such as hashes and table names. Exposure of such sensitive data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of sensitive information and prevention of unauthorized access.
However, since the vulnerable feature is disabled by default and forcibly disabled in recent versions, the risk is mitigated if proper configurations and updates are applied.