CVE-2025-12503
Description
EasyFlow .NET and EasyFlow AiNet developed by Digiwin has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated SQL injection in Digiwin EasyFlow .NET and AiNet allows remote attackers to read database contents.
Vulnerability
Overview
CVE-2025-12503 is a SQL injection vulnerability in Digiwin's EasyFlow .NET (version 6.6.19 and earlier) and EasyFlow AiNet (version 8.1.1 and earlier) products. The flaw exists due to insufficient sanitization of user-supplied input, allowing an attacker to inject arbitrary SQL commands into backend queries [1][2].
Exploitation
An attacker must first authenticate to the application. Once authenticated, the attacker can send crafted requests that exploit the SQL injection flaw. The attack is network-based, requires low complexity, and does not require user interaction [2].
Impact
Successful exploitation allows the attacker to read arbitrary database contents, leading to unauthorized access to sensitive data. The CVSS v3.1 score is 6.5 (Medium) with a confidentiality impact of High, while integrity and availability are not affected [2].
Mitigation
Digiwin has released patches for both products: EasyFlow .NET users should update to version update to version 6.6.19 and install patch 20250520; EasyFlow AiNet users should update to version 8.1.1 and install patch 20250520 [2]. No workarounds are mentioned in the advisory.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.