DOM Customer Portal / Security Advisories / Authenticated SQL injection in API

Authenticated SQL injection in API (DOM-25-001)


Summary

An injection vulnerability has been discovered in the API feature in Digi On-Prem Server, enabling an attacker with valid API tokens to inject SQL via crafted input.

The API is not enabled by default, and a valid API token is required to perform the attack.

Solution

Users should update to v25.08.5 or later

Mitigations

On the “System > Settings” page in the Dashboard, restrict traffic to the API by allowing only trusted IP address ranges via the “Access Control > API” setting, or ensure that “Feature > API” is disabled.

Affected Versions

  • Digi On-Prem Manager versions v24.12.5 until v25.08.5

Advisory Details

Severity

8.8 High

Discovered

Nov 14, 2025

Published

Nov 17, 2025

CVSS Score

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H