Description
A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
Published: 2026-04-01
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Sage DPW version 2025_06_004 a non‑default configuration enables the Database Monitor diagnostic endpoints. When enabled, these endpoints are accessible without authentication and can return sensitive data such as password hashes and database table names. This flaw compromises confidentiality and could allow an attacker to gain deeper insights into the system, increasing the risk of further exploitation.

Affected Systems

Sage DPW 2025_06_004 is affected when the Database Monitor diagnostic endpoints are enabled through configuration changes. The feature is disabled by default in all installations, is not present in the Cloud edition, and was previously enforced as disabled in version 2025_06_003.

Risk and Exploitability

The CVSS score of 5.9 denotes moderate severity, and the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an unauthenticated HTTP request to the diagnostic endpoints, which becomes possible only when the application is configured to enable the feature. If the endpoints are reachable over the network, an attacker can readily retrieve exposed information, leading to credential compromise or additional attacks against the underlying database.

Generated by OpenCVE AI on May 10, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version that defaults to disabling the Database Monitor, such as 2025_06_003, to eliminate the exposed endpoints.
  • If remaining on 2025_06_004, manually configure the application to disable the Database Monitor feature or block the diagnostic endpoint URLs at the web server or firewall level.
  • Scan the application’s accessible paths to verify that no diagnostic URLs are exposed.
  • Maintain routine updates by monitoring the vendor’s security advisories for future patches.
  • Log and monitor network traffic for repeated attempts to access diagnostic endpoints to detect potential probing activity.

Generated by OpenCVE AI on May 10, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Database Monitor Diagnostic Endpoints in Sage DPW 2025_06_004

Sun, 10 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Database Monitor Diagnostic Endpoints in Sage DPW 2025_06_004

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Diagnostic Endpoints in Sage DPW
Weaknesses CWE-200
CWE-284

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sagedpw
Sagedpw sage Dpw
Weaknesses CWE-306
CPEs cpe:2.3:a:sagedpw:sage_dpw:2025_06_004:*:*:*:*:*:*:*
Vendors & Products Sagedpw
Sagedpw sage Dpw

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access to Diagnostic Endpoints in Sage DPW
First Time appeared Sage
Sage dpw
Weaknesses CWE-200
CWE-284
Vendors & Products Sage
Sage dpw

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description A non-default configuration in Sage DPW 2025_06_004 allows unauthenticated access to diagnostic endpoints within the Database Monitor feature, exposing sensitive information such as hashes and table names. This feature is disabled by default in all installations and never available in Sage DPW Cloud. It was forcibly disabled again in version 2025_06_003.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AC:H/AV:N/A:N/C:H/I:N/PR:N/S:U/UI:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Sage Dpw
Sagedpw Sage Dpw
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-10T13:59:33.960Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67805

cve-icon Vulnrichment

Updated: 2026-04-01T15:57:33.979Z

cve-icon NVD

Status : Modified

Published: 2026-04-01T16:23:48.177

Modified: 2026-05-10T14:16:45.980

Link: CVE-2025-67805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T16:30:15Z

Weaknesses