CVE-2025-56556

Vulnerability

Overview

CVE-2025-56556 concerns an improper access control vulnerability in Subrion CMS version 4.2.1. The built-in Run SQL Query feature in the admin panel's SQL Tool is intended to be accessible by both Administrator and Moderator roles. However, the application fails to enforce role-based restrictions on the types of SQL statements that can be executed [1][2].

Exploitation and

Attack Surface

An authenticated user with a Moderator role—a role considered lower than Administrator—can access the SQL Tool and execute arbitrary SQL queries without any filtering or restriction. The vulnerability allows the execution of Data Definition Language (DDL) statements such as CREATE USER, GRANT ALL PRIVILEGES, and DROP TABLE. The attack surface is the admin panel, requiring prior authentication with at least a Moderator account [2].

Impact

A successful attack enables a Moderator to escalate privileges to a level equivalent to full MySQL root access within the database context. This can be used to create new database users with elevated privileges, modify or delete existing users, and drop entire database tables, leading to a complete takeover of the application's database [2].

Mitigation

The vendor has not released a patch as of the publication date. Recommended mitigations include enforcing strict role-based query restrictions that block high-privilege operations for Moderators, or implementing a whitelist that only permits safe SQL statements such as SELECT, INSERT, and UPDATE [2]. The Subrion project is open source, and users are encouraged to apply custom access controls or use the latest version available [3].