CVE-2025-56700

Vulnerability

Overview The web application of Centrax Open PSIM version 6.1 is affected by a boolean SQL injection vulnerability in the /sinottici/graphstorico component. The datafine parameter in the JSON POST request is not properly sanitized, allowing an attacker to inject arbitrary SQL commands into the back-end database query [1][2].

Attack

Vector An attacker with a low-privileged account on the platform can exploit this by sending a crafted POST request to /sinottici/graphstorico with a malicious value in the datafine field [2]. The proof-of-concept demonstrates a time-based boolean SQL injection payload within the datafine parameter, confirming that no additional authentication bypass is required beyond the initial login [2]. This makes the attack accessible to any authenticated user, increasing its practical risk despite the lower privilege requirement.

Impact

Successful exploitation allows the attacker to read, modify, or delete data stored in the database [2]. This could lead to unauthorized access to sensitive information, manipulation of system configuration, or data loss. The impact is amplified in an operational security environment where Centrax Open PSIM manages video surveillance and access control systems [1].

Mitigation

Base Digitale has not officially released an advisory, but the vulnerability affects version 6.1 and prior [2]. Upgrading to Centrax Open PSIM version greater than 6.1 is recommended as the primary mitigation [2]. Users should also apply input validation and parameterized queries as a general security practice.