CVE-2025-12812

CVE-2025-12812 is an SQL injection vulnerability in Delinea Cloud Suite and Privileged Access Service. The issue arises from improper neutralization of special elements used in SQL commands, specifically where user-controlled input (such as the SortBy parameter) is not validated before being incorporated into database queries.

To exploit this flaw, an attacker must be authenticated to the affected service. The vulnerability likely manifests in features that allow sorting or filtering of data, where unsanitized input is passed directly into SQL statements. The exact attack vector is not publicly detailed, but the classification as SQL injection indicates that crafted input can manipulate query logic.

Successful exploitation could enable an attacker to read, modify, or delete arbitrary data in the underlying database, potentially leading to privilege escalation or unauthorized access to sensitive information. While the CVSS score is not provided, the severity is rated as Medium, suggesting a significant but not critical impact.

Delinea addressed this vulnerability in Cloud Suite version 25.1, as noted in the release notes [1]. The fix includes added validation for the SortBy value, preventing injection attacks. Organizations using affected versions should upgrade to 25.1 or later to mitigate the risk.