CVE-2025-13163 identifies an insufficiently protected credentials vulnerability (CWE-522) in Digiwin EasyFlow GP, specifically affecting versions 5.8.8.3 and all 8.1.* releases. The vulnerability allows privileged remote attackers to extract plaintext database account credentials directly from the system frontend interface. This flaw arises because the application does not adequately safeguard sensitive credential information, exposing it in an accessible manner to users with elevated privileges. The CVSS 4.0 base score is 6.9, reflecting network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), but requiring high privileges (PR:H). There is no user interaction needed (UI:N), and the vulnerability impacts confidentiality heavily (VC:H) without affecting integrity or availability. No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability's technical risk lies in the potential for attackers with privileged access to escalate their control by leveraging exposed database credentials, potentially compromising backend data stores and sensitive business information. The vulnerability does not involve privilege escalation or bypass but exposes critical secrets that could be used in further attacks or lateral movement within the network.

For European organizations, the exposure of plaintext database credentials can lead to severe confidentiality breaches, enabling unauthorized access to sensitive business data, intellectual property, or customer information. This could result in data theft, regulatory non-compliance (e.g., GDPR violations), reputational damage, and operational disruption if attackers leverage the credentials to manipulate or exfiltrate data. Since the vulnerability requires privileged access, it primarily threatens internal users or attackers who have already compromised an account with elevated rights, increasing the risk of insider threats or post-compromise lateral movement. Industries relying on Digiwin EasyFlow GP, such as manufacturing, supply chain management, and enterprise resource planning, may face heightened risks. The lack of known exploits reduces immediate threat but does not eliminate the risk of future exploitation. European organizations must consider the impact on confidentiality and the potential cascading effects on business continuity and compliance.

1. Monitor Digiwin’s official channels for patches or updates addressing CVE-2025-13163 and apply them promptly upon release. 2. Restrict access to the EasyFlow GP frontend strictly to trusted, authorized personnel with a need-to-know basis, minimizing the number of users with privileged access. 3. Implement network segmentation and access controls to limit exposure of the EasyFlow GP system to internal networks only, reducing remote attack surfaces. 4. Enforce strong authentication and session management policies for privileged users to prevent unauthorized access. 5. Audit and monitor logs for unusual access patterns or attempts to retrieve credential information from the frontend. 6. Where possible, encrypt stored credentials and secrets within the application or underlying systems to reduce plaintext exposure. 7. Conduct regular security awareness training for privileged users to mitigate insider threat risks. 8. Evaluate and harden the overall security posture of systems interacting with EasyFlow GP, including database servers and backend infrastructure.