Description
A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
Published: 2026-04-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure via Unauthenticated Access
Action: Update or Disable
AI Analysis

Impact

The vulnerability permits an attacker to reach diagnostic endpoints without authentication, exposing data such as password hashes and database table names. This results in a confidentiality compromise. The weakness appears to be an improper configuration that allows information exposure and improper access control, as reflected by the inferred CWEs CWE‑200 and CWE‑284.

Affected Systems

Only installations of Sage DPW version 2025_06_004 are affected, because the Database Monitor diagnostic interface is enabled in this build. The feature is disabled by default in all installations and is removed in the preceding build 2025_06_003, and it is never available in Sage DPW Cloud. Vendors are not identified in the attribution data.

Risk and Exploitability

The CVSS base score of 5.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of active exploitation. The likely attack vector is a remote network connection to the unprotected diagnostic endpoints; no privilege elevation or additional setup is described. Because the exposed data is sensitive, the risk remains non-trivial and warrants timely remediation.

Generated by OpenCVE AI on April 2, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 2025_06_003 configuration or upgrade to a later release where the Database Monitor diagnostic endpoints are removed or permanently disabled.
  • If upgrading is not feasible, manually disable or restrict access to the diagnostic endpoints through application-level or network configuration changes.
  • Ensure the default disabled state remains by enforcing the 2025_06_003 configuration on existing installations.
  • Restrict network access to the host running Sage DPW to trusted IP ranges via firewall or host-based rules.
  • Monitor system logs for unexpected access attempts and review stored credentials for anomalies.

Generated by OpenCVE AI on April 2, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Diagnostic Endpoints in Sage DPW
First Time appeared Sage
Sage dpw
Weaknesses CWE-200
CWE-284
Vendors & Products Sage
Sage dpw

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AC:H/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sage Dpw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T15:57:39.349Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67805

cve-icon Vulnrichment

Updated: 2026-04-01T15:57:33.979Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T16:23:48.177

Modified: 2026-04-03T16:11:11.357

Link: CVE-2025-67805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:09:55Z

Weaknesses