CVE-2025-10702 is a critical code injection vulnerability classified under CWE-94, affecting Progress DataDirect Connect for JDBC drivers, including those for Amazon Redshift, Apache Cassandra, Hive, Impala, SparkSQL, and many others. The root cause lies in the SpyAttribute connection option, which supports an undocumented syntax construct. If an application allows an end user to specify the SpyAttributes option, an attacker can exploit this to cause the JDBC driver to load an arbitrary class from the class path and execute its constructor, effectively enabling remote code execution. This vulnerability does not require user interaction or authentication, making it highly exploitable in environments where end users can influence connection parameters. The issue affects a broad range of DataDirect JDBC drivers and related products, with fixed versions released across all affected drivers. The CVSS 4.0 base score is 8.6 (high), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability can lead to full system compromise, data theft, or disruption of services. No known exploits in the wild have been reported yet, but the wide usage of these drivers in enterprise environments increases the risk of targeted attacks. The vulnerability is particularly dangerous because it leverages an undocumented feature, which may not be well understood or monitored by administrators.

The impact of CVE-2025-10702 is significant for organizations using affected Progress DataDirect Connect for JDBC drivers. Successful exploitation allows remote attackers to execute arbitrary code within the context of the application using the JDBC driver, potentially leading to full system compromise. This can result in unauthorized data access, data manipulation, disruption of database services, and lateral movement within corporate networks. Given the wide range of affected drivers supporting major databases and cloud services (e.g., Amazon Redshift, Microsoft SQL Server, Oracle, PostgreSQL, MongoDB, Google BigQuery), the vulnerability threatens critical data infrastructure globally. Enterprises relying on these drivers for data analytics, business intelligence, and operational databases face risks to confidentiality, integrity, and availability of their data assets. The lack of required authentication and user interaction lowers the barrier for exploitation, increasing the likelihood of attacks. Additionally, the vulnerability could be leveraged in supply chain attacks or to bypass existing security controls by injecting malicious code at the driver level.

Organizations should immediately identify all deployments of Progress DataDirect Connect for JDBC drivers and related products in their environments. The primary mitigation is to apply the vendor-provided patches or upgrade to fixed versions as listed in the advisory. Where patching is not immediately feasible, restrict or disable the use of the SpyAttribute connection option, especially preventing end users from specifying or modifying this parameter. Implement strict input validation and sanitization on any user-supplied connection parameters to block attempts to inject malicious syntax. Employ runtime application self-protection (RASP) or behavior monitoring to detect anomalous class loading or constructor execution patterns. Network segmentation and least privilege principles should be enforced to limit the impact of a potential compromise. Regularly audit and monitor logs for unusual JDBC driver activity. Finally, educate developers and administrators about the risks of undocumented features and ensure secure coding practices when handling connection options.