CVE-2025-51535 – OpenAtlas v8.11.0 contains an unrestricted SQL ... (How to Fix)

Q: What is the severity of CVE-2025-51535?

CVE-2025-51535 has a CVSS score of 9.1 (CRITICAL). OpenAtlas v8.11.0 contains an unrestricted SQL console in the admin UI that allows authenticated administrators to execute arbitrary SQL queries. This vulnerability enables complete database manipulation and potential remote code execution. Only systems running the vulnerable version with admin access are affected.

📋 TL;DR

OpenAtlas v8.11.0 contains an unrestricted SQL console in the admin UI that allows authenticated administrators to execute arbitrary SQL queries. This vulnerability enables complete database manipulation and potential remote code execution. Only systems running the vulnerable version with admin access are affected.

💻 Affected Systems

Products:

OpenAtlas

Versions: v8.11.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication to access the vulnerable SQL console interface.

📦 What is this software?

Openatlas by Craws

View all CVEs affecting Openatlas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise leading to data theft, destruction, or remote code execution on the database server, potentially escalating to host system compromise.

🟠

Likely Case

Authenticated administrators could unintentionally or maliciously execute harmful SQL queries, causing data corruption, privilege escalation, or information disclosure.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to authorized administrators who should already have database access privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but provides direct SQL execution capability once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Disable Admin SQL Console

all

Remove or restrict access to the SQL console functionality in the admin interface.

Modify OpenAtlas configuration to disable SQL console feature

Restrict Admin Access

all

Implement strict access controls and monitoring for admin accounts.

Implement MFA for admin accounts
Review and reduce admin privileges

🧯 If You Can't Patch

Implement network segmentation to isolate OpenAtlas from critical systems
Enable detailed logging and monitoring of all admin SQL console activity

🔍 How to Verify

Check if Vulnerable:

Check if OpenAtlas version is 8.11.0 and verify if admin interface contains unrestricted SQL console functionality.

Check Version:

Check OpenAtlas version in application interface or configuration files

Verify Fix Applied:

Verify SQL console is disabled or properly restricted in admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries from admin accounts
Multiple failed SQL syntax attempts
Database schema modification attempts

Network Indicators:

Unusual database connection patterns from web application server

SIEM Query:

source="openatlas_logs" AND (event="sql_execution" OR query="DROP" OR query="INSERT" OR query="UPDATE")

📊 Metadata

CVE ID: CVE-2025-51535

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-1392

EPSS Score: 0.06% exploit probability (18.5th percentile)

Published: August 4, 2025

Last Updated: September 20, 2025

🔗 References

https://www.sec4you-pentest.com/schwachstelle/openatlas-unbeschraenkte-sql-konsole-im-admin-ui/ Exploit,Third Party Advisory
https://www.sec4you-pentest.com/schwachstellen/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-51535, you might also want to check these: