CVE-2025-70420 - Vulnerability Details

Description

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.

Published: 2026-04-21

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A SQL injection flaw exists in Genesys Latitude version 25.1.0.420 where unsanitized user‑supplied input is concatenated directly into SQL statements. An attacker who can authenticate to the application can craft input that is executed by the backend database, allowing the execution of arbitrary SQL queries. This can lead to unauthorized data exfiltration, tampering, or deletion, compromising both confidentiality and integrity of the stored information.

Affected Systems

The vulnerability affects the Genesys Latitude product, specifically released as version 25.1.0.420. No other vendors or product variants are identified in the current data set.

Risk and Exploitability

The CVSS score of 8.8 denotes a high severity risk, and the EPSS score of less than 1% indicates that exploitation is currently unlikely but possible. The vulnerability is exploitable by authenticated users, and because it allows arbitrary SQL execution, the potential impact is significant. The attack is likely carried out through the application's authenticated interface, requiring valid credentials with sufficient privilege to submit queries to the database. The KEV listing is not present, suggesting that widespread exploitation has not yet been observed, but the high severity of the flaw warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:genesys:latitude:25.1.0.420:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Genesys

Latitude

90%

Version	Status	Scheme	Platform
`25.1.0.420`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Genesys Latitude to a patched version that removes the vulnerable code path
Apply input validation and use parameterized queries to eliminate unsanitized string concatenation
Limit the database credentials used by Genesys to only the permissions required for its normal operation
Ensure network segmentation keeps the database isolated from unauthorized network zones

Generated by OpenCVE AI on April 27, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00034.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
http://genesys.com
https://okunsec.com/research/cve-2025-70420

History

Wed, 13 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:genesys:latitude:25.1.0.420:::::::*

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title	SQL Injection in Genesys Latitude Enabling Arbitrary Database Access

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Genesys Genesys latitude
Vendors & Products		Genesys Genesys latitude

Wed, 22 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
Title		SQL Injection in Genesys Latitude Enabling Arbitrary Database Access
Weaknesses		CWE-89

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements.
References		http://genesys.com https://okunsec.com/research/cve-2025-70420

Subscriptions

Genesys Latitude

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-21T00:00:00.000Z

Updated: 2026-04-22T15:35:35.730Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70420

Vulnrichment

Updated: 2026-04-22T13:48:33.510Z

NVD

Status : Analyzed

Published: 2026-04-21T21:16:22.900

Modified: 2026-05-13T16:01:29.323

Link: CVE-2025-70420

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object