CVE-2025-9273
📋 TL;DR
CVE-2025-9273 is an information disclosure vulnerability in CData API Server's MySQL connector that allows authenticated attackers to read local files from the server. The vulnerability occurs because the MySQL connection enables the LOCAL INFILE option, permitting the MySQL server to request files from the client. This affects installations where CData API Server connects to MySQL databases with authentication enabled.
💻 Affected Systems
- CData API Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files from the server filesystem including configuration files, credentials, or application data, potentially leading to further compromise.
Likely Case
Limited information disclosure of accessible files within the NETWORK SERVICE context, potentially exposing configuration or temporary files.
If Mitigated
Minimal impact with proper network segmentation, file system permissions, and authentication controls limiting accessible files.
🎯 Exploit Status
Exploitation requires valid authentication credentials and knowledge of the MySQL connection configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided reference, check vendor advisory
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-25-852/
Restart Required: No
Instructions:
1. Update CData API Server to latest version. 2. Apply vendor-provided patch. 3. Verify MySQL connector configuration disables LOCAL INFILE option.
🔧 Temporary Workarounds
Disable LOCAL INFILE in MySQL connector
allModify MySQL connection configuration to disable the LOCAL INFILE option that allows file reading
Modify connection string to include: allowLoadLocalInfile=false
🧯 If You Can't Patch
- Restrict file system permissions for NETWORK SERVICE account to limit accessible files
- Implement network segmentation to isolate MySQL connections from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check MySQL connection configuration for LOCAL INFILE enabled and verify CData API Server version against patched versionsCheck Version:
Check CData API Server version through admin interface or configuration filesVerify Fix Applied:
Confirm LOCAL INFILE is disabled in MySQL connection configuration and verify updated version📡 Detection & Monitoring
Log Indicators:
- Unusual MySQL connection attempts with LOCAL INFILE operations
- Multiple failed authentication attempts followed by successful connections
Network Indicators:
- MySQL protocol traffic with LOCAL INFILE commands from CData API Server
SIEM Query:
SELECT * FROM logs WHERE (process_name LIKE '%CData%' OR service_name LIKE '%CData%') AND (event_description LIKE '%LOCAL INFILE%' OR event_description LIKE '%MySQL file read%')