PatchSiren cyber security CVE debrief
CVE-2025-67805 Sagedpw CVE debrief
CVE-2025-67805 describes an exposure in Sage DPW 2025_06_004 where a non-default Database Monitor configuration can allow unauthenticated access to diagnostic endpoints. According to the source description, the affected endpoints can expose sensitive information such as hashes and table names. The feature is disabled by default in all installations, never available in Sage DPW Cloud, and was forcibly disabled again in version 2025_06_003.
- Vendor
- Sagedpw
- Product
- CVE-2025-67805
- CVSS
- MEDIUM 5.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-01
- Original CVE updated
- 2026-05-10
- Advisory published
- 2026-04-01
- Advisory updated
- 2026-05-10
Who should care
Sage DPW administrators and security teams responsible for on-premises deployments, especially any environment running 2025_06_004 or any installation where the Database Monitor feature was enabled outside the default configuration.
Technical summary
NVD lists the vulnerable CPE as cpe:2.3:a:sagedpw:sage_dpw:2025_06_004 and assigns CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.9 MEDIUM). The vulnerability is described as unauthenticated access to diagnostic endpoints in the Database Monitor feature under a non-default configuration, resulting in information disclosure rather than integrity or availability impact. NVD also maps the issue to CWE-306 and CWE-200.
Defensive priority
Medium for any on-premises system where Database Monitor is enabled or could be enabled outside the default posture. Lower priority for default installations and Sage DPW Cloud based on the source description, which says the feature is disabled by default and never available in cloud deployments.
Recommended defensive actions
- Verify whether any Sage DPW deployment uses version 2025_06_004.
- Confirm that Database Monitor remains disabled in all non-lab environments.
- If Database Monitor is required, restrict access to the affected diagnostic surfaces and review vendor guidance for the forced-disable behavior introduced in 2025_06_003.
- Search for any exposure of hashes or table names through the diagnostic endpoints and rotate secrets or credentials if sensitive material was revealed.
- Use the official CVE/NVD record and vendor materials to track any further clarification or remediation updates.
Evidence notes
Source corpus indicates: published 2026-04-01 and last modified 2026-05-10; CVSS 3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N; vulnerable CPE cpe:2.3:a:sagedpw:sage_dpw:2025_06_004; references include the official CVE record, NVD detail page, a third-party advisory link, and the product site. The supplied description explicitly states the feature is disabled by default and never available in Sage DPW Cloud.
Official resources
-
CVE-2025-67805 CVE record
CVE.org
-
CVE-2025-67805 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
[email protected] - Product
CVE-2025-67805 was publicly disclosed in the official CVE/NVD record on 2026-04-01 and modified on 2026-05-10. No KEV listing is provided in the supplied corpus.