CVE-2025-13319 | THREATINT

Description

An injection vulnerability has been discovered in the API feature in Digi On-Prem Manager, enabling an attacker with valid API tokens to inject SQL via crafted input. The API is not enabled by default, and a valid API token is required to perform the attack.

PUBLISHED Reserved 2025-11-17 | Published 2025-11-17 | Updated 2025-11-17 | Assigner Digi

HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-20 Improper Input Validation

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Default status

unaffected

24.12.5 (custom) before 25.08.5

affected

Timeline

2025-11-14:	Vulnerability discovered
2025-11-17:	Fixed version released

References

dom.nettec.no/security-advisories/DOM-25-001/ vendor-advisory

cve.org (CVE-2025-13319)

nvd.nist.gov (CVE-2025-13319)

Download JSON