Improper validation of user input in Delphix Continuous Data connectors permits an authenticated user to inject and execute arbitrary operating system commands on the host where the connector runs. The vulnerability is classified as OS Command Injection (CWE‑78) and results in full compromise of the staging or target machine, allowing attackers to gather data, pivot to other systems, or maintain persistence. An attacker requires valid credentials to log in to the connector, but once inside the application the attacker can run any command the service account is permitted to execute.

The issue affects a range of Delphix Continuous Data connectors, including those for Cassandra, CockroachDB, Couchbase, IBM DB2, MangoDB, MSSQL on Linux, MySQL, Oracle Backup Ingestion, Oracle EBS, PostgreSQL, SAP HANA, and YugabyteDB. Specific version information is not provided in the CNA data, so any installation of these connectors that has not applied the vendor’s patch could be vulnerable.

With a CVSS score of 8.7 the vulnerability is considered High severity. EPSS data is not available, but the lack of public exploits combined with the severity suggests that the likelihood of exploitation is uncertain yet potentially significant, especially within environments where these connectors are enabled. The vulnerability is not listed in the CISA KEV catalog, indicating that no widely known exploits have been proven in the wild at this time. The attack vector is most likely through authenticated access to the connector’s management interface, where crafted input can be supplied to trigger command execution.