CVE-2025-13319 identifies a critical SQL injection vulnerability in the API component of Nettec AS Digi On-Prem Manager, specifically version 24.12.5. The vulnerability stems from improper input validation (CWE-20) that allows crafted inputs to be injected into SQL queries (CWE-89). An attacker must possess valid API tokens to exploit this flaw, as the API is disabled by default, limiting exposure. Once authenticated, the attacker can craft malicious input to manipulate backend SQL queries, potentially extracting sensitive data, modifying or deleting records, or causing denial of service. The vulnerability does not require user interaction and can be exploited remotely over the network, with low attack complexity. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects network attack vector, low complexity, requiring privileges (valid token), no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no public exploits are reported yet, the severity and ease of exploitation make this a significant risk for organizations relying on Digi On-Prem Manager for critical operations. The absence of patches at the time of disclosure necessitates immediate mitigation steps.

For European organizations, this vulnerability poses a substantial risk, especially those using Digi On-Prem Manager in sensitive environments such as telecommunications, utilities, or government sectors. Exploitation could lead to unauthorized data disclosure, data manipulation, or service disruption, undermining operational continuity and regulatory compliance (e.g., GDPR). The requirement for valid API tokens limits exposure but also highlights the importance of credential security. Attackers gaining access to API tokens—through phishing, insider threats, or other means—could leverage this vulnerability to escalate their impact. The high impact on confidentiality, integrity, and availability could result in significant financial losses, reputational damage, and legal consequences. Given the product’s deployment in on-premises environments, recovery and incident response could be complex and time-consuming.

Organizations should immediately audit and restrict API token issuance and usage, ensuring tokens are granted only to trusted entities with minimal necessary privileges. Disable the API feature if not required. Implement strict network segmentation and firewall rules to limit API access to trusted IP addresses. Monitor API usage logs for anomalous activity indicative of injection attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the API endpoints. Until an official patch is released, consider deploying virtual patching or input validation proxies to sanitize API inputs. Conduct regular credential hygiene practices, including token rotation and revocation of unused tokens. Prepare incident response plans specific to API compromise scenarios. Engage with Nettec AS for timely updates and patches, and test all updates in controlled environments before deployment.