{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-70420", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:35:35.730Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-21T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-21T20:48:54.120Z"}, "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://genesys.com"}, {"url": "https://okunsec.com/research/cve-2025-70420"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "references": [{"url": "https://okunsec.com/research/cve-2025-70420", "tags": ["exploit"]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:43:13.474633Z", "id": "CVE-2025-70420", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:35:35.730Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements."}], "id": "CVE-2025-70420", "lastModified": "2026-04-21T21:16:22.900", "metrics": {}, "published": "2026-04-21T21:16:22.900", "references": [{"source": "cve@mitre.org", "url": "http://genesys.com"}, {"source": "cve@mitre.org", "url": "https://okunsec.com/research/cve-2025-70420"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "25.1.0.420"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "latitude", "vendor": "genesys"}], "analysis": {"en": {"generated_at": "2026-04-22T05:50:13.487023+00:00", "value": {"mitigation_remediation": ["Update Genesys Latitude to a patched version that removes the vulnerable code path", "Apply input validation and use parameterized queries to eliminate unsanitized string concatenation", "Limit the database credentials used by Genesys to only the permissions required for its normal operation", "Ensure network segmentation keeps the database isolated from unauthorized network zones"], "summary": {"action": "Patch Immediately", "impact": "SQL Injection enabling unauthorized database access and potential data modification"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Genesys Latitude product, specifically released as version 25.1.0.420. No other vendors or product variants are identified in the current data set.", "description_and_impact": "A SQL injection flaw exists in Genesys Latitude version 25.1.0.420 where unsanitized user\u2011supplied input is concatenated directly into SQL statements. An attacker who can authenticate to the application can craft input that is executed by the backend database, allowing the execution of arbitrary SQL queries. This can lead to unauthorized data exfiltration, tampering, or deletion, compromising both confidentiality and integrity of the stored information.", "risk_and_exploitability": "No public CVSS score is provided, and EPSS information is unavailable, but the vulnerability is known to be exploitable by authenticated users. Because the flaw allows arbitrary SQL execution, the potential impact is significant. The attack is likely carried out through the application's authenticated interface, and it requires the attacker to have valid credentials with sufficient privilege to submit queries to the database. The absence of a KEV listing suggests that widespread exploitation has not yet been observed, yet the high severity inherent to SQL injection warrants immediate attention."}}}}, "created": "2026-04-22T03:30:06.689302+00:00", "title": "SQL Injection in Genesys Latitude Enabling Arbitrary Database Access", "updated": "2026-04-22T11:47:02.869062+00:00", "vendors": ["genesys", "genesys$PRODUCT$latitude"], "weaknesses": ["CWE-89"]}