CVE-2025-70420

Vulnerability

Overview

CVE-2025-70420 is an authenticated SQL injection vulnerability in Genesys Latitude v25.1.0.420, a debt collection platform that handles sensitive PII and financial data. The root cause is unsanitized user-supplied input being concatenated directly into SQL statements, specifically in the status parameter of the /InteractionCollectorWebClient/api/inventory endpoint [1].

Exploitation

An authenticated attacker can exploit this by appending a single quote to the status parameter value, which triggers a database error indicating improper input handling. Using automated tools like SQLMap, an attacker can enumerate the database system, including its version and databases [1]. The endpoint is accessible via the "Agent Desktop" navigation menu under the "Inventory" link.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the backend database. While the researcher was unable to extract sensitive data from the "Latitude" table due to possible additional database-layer protections, the vulnerability still poses a significant risk to the confidentiality and integrity of the database [1].

Mitigation

As of the publication date (2026-04-21), no official patch has been released despite multiple vendor notification attempts starting in December 2025 [1]. Users should apply input validation and parameterized queries as a workaround and monitor for vendor updates.