Platform
php
Component
windesk.fm
Fixed in
2.3.4
CVE-2025-11252 identifies a SQL Injection vulnerability within Signum Technology Promotion and Training Inc.'s Windesk.Fm application. This flaw allows attackers to inject malicious SQL code, potentially leading to data breaches and system compromise. The vulnerability affects versions 0 through 2.3.4, and a patch has been released by the vendor.
Successful exploitation of this SQL Injection vulnerability could grant an attacker complete control over the Windesk.Fm database. This includes the ability to read, modify, or delete sensitive data such as user credentials, financial records, or application configuration. Lateral movement within the network is possible if the database has access to other systems. The blast radius extends to any data stored within the Windesk.Fm database, potentially impacting the confidentiality, integrity, and availability of critical business information. While no public exploits are currently available, the CRITICAL severity underscores the potential for significant damage if exploited.
CVE-2025-11252 was published on 2026-02-27. It is not currently listed on the CISA KEV catalog. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation if left unpatched. While no public proof-of-concept exploits are currently available, the ease of SQL Injection exploitation suggests that attackers may develop and deploy them in the future.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11252 is to immediately upgrade Windesk.Fm to version 2.3.4 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as input validation and parameterized queries to sanitize user input. Web application firewalls (WAFs) configured with rules to detect and block SQL Injection attempts can also provide a layer of defense. Monitor Windesk.Fm logs for suspicious SQL queries and unusual database activity. After upgrading, confirm the vulnerability is resolved by attempting a SQL Injection attack on a non-critical endpoint and verifying that the input is properly sanitized.
Update to version 2.3.4 or later to mitigate the SQL Injection vulnerability. The update corrects how special elements are handled in SQL commands, preventing exploitation of the vulnerability. Refer to the vendor documentation for detailed instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11252 is a critical SQL Injection vulnerability affecting Windesk.Fm versions 0 through 2.3.4, allowing attackers to execute arbitrary SQL commands and potentially access sensitive data.
If you are using Windesk.Fm versions 0 to 2.3.4, you are vulnerable to this SQL Injection flaw. Immediate action is required.
Upgrade Windesk.Fm to version 2.3.4 or later to resolve the vulnerability. Consider temporary workarounds like input validation if immediate upgrade is not possible.
While no public exploits are currently known, the CRITICAL severity suggests a high potential for exploitation if left unpatched.
Refer to the vendor's official security advisory for detailed information and updates regarding CVE-2025-11252.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.