CVE-2025-56699
Description
SQL injection vulnerability in the cmd component of Base Digitale Group spa product Centrax Open PSIM version 6.1 allows an unauthenticated user to execute arbitrary SQL commands via the sender parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in Centrax Open PSIM 6.1 via sender parameter in /cmd component allows arbitrary SQL execution.
Centrax Open PSIM version 6.1 contains a SQL injection vulnerability in the /cmd component. The sender parameter is not properly sanitized before being used in SQL queries, allowing an attacker to inject arbitrary SQL syntax.
The vulnerability can be exploited by an unauthenticated attacker sending a crafted HTTP POST request to the /cmd endpoint with a JSON payload containing malicious SQL in the sender field. The proof-of-concept demonstrates a time-based SQL injection using a SLEEP() command, and tools like sqlmap can automate exploitation [2].
Successful exploitation allows the attacker to execute arbitrary SQL commands on the back-end database, potentially reading, modifying, or deleting sensitive data. This could include credentials, configuration, or operational data [2].
The vendor recommends upgrading Centrax Open PSIM to a version greater than 6.1 to mitigate this issue [2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.