Title: SQLi in OpenNMS Horizon and Meridian
CVE ID: CVE-2025-53122
CVSSv4 Base Score: 6.9 /AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Vendor: The OpenNMS Group
Products: OpenNMS Horizon
Advisory Release Date: 26/06/2025
Advisory URL: https://labs.integrity.pt/advisories/cve-2025-53122
Credits: Discovery by Fábio Tomé fabio.tome@devoteam.com
OpenNMS is an open-source network monitoring platform to visualize and monitor your local and distributed networks. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection.
>= 25.2.1
, <= 33.1.6
, 33.1.7
>= 33.0.8
, <= 33.1.6
, 33.1.7
unknown from >= 25.2.1
, <= 33.1.6
, 33.1.7
upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer
26/04/2024 - Bug reported to OpenNMS
13/04/2025 - Bug verified by OpenNMS
22/04/2025 - Solved by OpenNMS
26/06/2025 - Advisory released
https://nvd.nist.gov/vuln/detail/CVE-2025-53122
https://github.com/OpenNMS/opennms/pull/7709
https://opennms.atlassian.net/browse/NMS-17876
https://github.com/advisories/GHSA-gf77-whxf-fmrr
© 2025 INTEGRITY S.A. All rights reserved. | Cookie Policy