Caseflow Acumen – SQL Injection – Security Advisory – TCS-02-25
| Release Date. | 28-July-2025 |
| Last Update. | 28-July-2025 |
| Vendor Notification Date. | 25-Fan-2025 |
| Product. | Caseflow Acumen |
| Platform. | Software |
| Affected versions. | < 10.0.15 |
| Severity Rating. | Critical |
| Impact. | Full access over the Caseflow database without requiring authentication. |
| Attack Vector. | From local or remote without authentication. |
| Solution Status. | Vendor patch |
| CVE reference. | Not yet assigned |
Technical Details
A time-based blind SQL injection vulnerability exists in the application’s login process. The username parameter is improperly validated, allowing an attacker to inject malicious SQL commands—in this case, a WAITFOR DELAY statement. This can force the database to pause execution for a specified amount of time, confirming that SQL injection is possible.
Affected Parameter: username field in the JSON payload
Endpoint: POST /Caseflow/Login/GetAuthorisationCode
Proof of Concept (PoC) – HTTP Request
POST /Caseflow/Login/GetAuthorisationCode HTTP/1.1
Host: clients.domain.com.au
Content-Type: application/json; charset=UTF-8
{
"trustedLogin": false,
"username": "fabbro' WAITFOR DELAY '0:0:08'--",
"password": "password"
}
Impact
Through this time-based SQL injection, the following sample data was retrieved:
-
Database Version: Microsoft SQL Server 2019
-
Database User: rf_escu
-
Database Names: CF_Prod, DMS_Data_cloud
-
Table Names: CDICOL, CDIDES, CDIGRP, etc.
As this is a blind injection, exfiltration of data is slower but still feasible with automation. Given enough time, an attacker would be able to enumerate and extract the entire database.
Remediation
Patch Management
- The vendor released a patch on the 29th Feburary 2025. Please update to a version above 10.0.15.
Temporary Strategy
- Block access to the application if it is exposed directly to the Internet until the patch can be applied.
Discovered by
Fabrizio Fedele
Senior Security Consultant
Trinity Cyber Security