Description
A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
Published: 2026-04-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

A configuration oversight in Sage DPW version 2025_06_004 permits anyone to reach diagnostic endpoints of the Database Monitor feature without needing authentication. By accessing these endpoints, an attacker can retrieve sensitive data such as password hashes and database table names. The gap undermines confidentiality and could facilitate further exploitation if the attacker gains deeper insight into the system's structure.

Affected Systems

Sage DPW product version 2025_06_004 is affected. The vulnerability exists because the Database Monitor diagnostic endpoints are enabled by default in this release, whereas earlier releases such as 2025_06_003 had forced the feature to be disabled. The functionality is not present in the Sage DPW Cloud edition.

Risk and Exploitability

The CVSS v3 base score of 5.9 indicates a moderate severity, and the EPSS score of less than 1 percent suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires unauthenticated HTTP access to the diagnostic endpoints, so an attacker does not need any credentials. If the endpoints are reachable over the network, an adversary could easily retrieve the exposed information, leading to potential credential compromise or later attacks against the underlying database.

Generated by OpenCVE AI on April 8, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the release 2025_06_003 or later, which disables the Database Monitor by default and denies unauthenticated access to diagnostic endpoints.
  • If remaining on 2025_06_004, manually configure the application to disable the Database Monitor feature or block the diagnostic endpoint URLs at the web server or firewall level.
  • Verify that no diagnostic URLs are exposed by performing a quick scan of the application’s accessible paths.
  • Maintain routine updates by monitoring the vendor’s security advisories for future patches.
  • Log and monitor network traffic for repeated attempts to access diagnostic endpoints to detect potential probing activity.

Generated by OpenCVE AI on April 8, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Database Monitor Diagnostic Endpoints in Sage DPW 2025_06_004

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Diagnostic Endpoints in Sage DPW
Weaknesses CWE-200
CWE-284

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sagedpw
Sagedpw sage Dpw
Weaknesses CWE-306
CPEs cpe:2.3:a:sagedpw:sage_dpw:2025_06_004:*:*:*:*:*:*:*
Vendors & Products Sagedpw
Sagedpw sage Dpw

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Diagnostic Endpoints in Sage DPW
First Time appeared Sage
Sage dpw
Weaknesses CWE-200
CWE-284
Vendors & Products Sage
Sage dpw

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AC:H/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sage Dpw
Sagedpw Sage Dpw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:57:39.349Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67805

cve-icon Vulnrichment

Updated: 2026-04-01T15:57:33.979Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T16:23:48.177

Modified: 2026-04-07T19:39:01.847

Link: CVE-2025-67805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:26Z

Weaknesses