A high-severity SQL injection vulnerability has been identified in Prem's Digi On-Prem Manager. An attacker who has obtained a valid API token can exploit this flaw to execute malicious commands on the underlying database, potentially leading to unauthorized data access, modification, or a complete system compromise. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.

This is a SQL injection vulnerability within the API feature of the Digi On-Prem Manager. The application fails to properly sanitize user-supplied input before using it in SQL queries. An attacker with a valid API token can submit a specially crafted API request containing malicious SQL syntax. This input is then executed by the back-end database, allowing the attacker to bypass security controls and interact directly with the database.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could have a severe impact on the business, leading to a major data breach. Potential consequences include the theft of sensitive corporate or customer data, unauthorized modification or deletion of critical information, and potential for further system compromise if the database user has elevated privileges. Such an incident could result in significant financial loss, reputational damage, regulatory fines, and disruption of business operations.

Immediate Action: Apply vendor security updates immediately across all affected instances of the software. After patching, review API and database access logs for any signs of suspicious activity or exploitation attempts that may have occurred prior to remediation.

Proactive Monitoring: Implement continuous monitoring of API endpoints. Specifically, look for unusual or malformed SQL queries in application and database logs. Monitor network traffic for anomalous patterns targeting the API, and configure alerts for repeated failed API authentication attempts or queries that generate database errors.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attacks against the API endpoints.
• Conduct a thorough review of all active API tokens. Revoke any unnecessary tokens and enforce the principle of least privilege for all remaining tokens.
• Restrict network access to the API, allowing connections only from trusted IP addresses and internal networks.

Public Exploit Available: false

Due to the high severity (CVSS 8.8) and the potential for complete data compromise, it is our strong recommendation that organizations prioritize the immediate patching of this vulnerability. While this vulnerability is not currently listed on the CISA KEV catalog, its high impact potential warrants immediate attention. If patching is delayed, the compensating controls listed above should be implemented without delay to reduce the attack surface. Furthermore, a comprehensive audit of API token security and access management policies is highly advised.