Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
EasyFlow .NET developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
AnalysisAI
Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.
Technical ContextAI
EasyFlow .NET is an enterprise workflow management system developed by Digiwin Software, widely deployed in manufacturing and ERP environments across Asia-Pacific markets. The vulnerability stems from CWE-89 (SQL Injection), where user-supplied input is incorporated into SQL queries without proper sanitization or parameterization. Based on the CPE string cpe:2.3:a:digiwin:easyflow_.net, this affects the .NET framework implementation of the product. SQL injection occurs when application code concatenates untrusted data directly into SQL statements rather than using parameterized queries or stored procedures with bound parameters. In .NET environments, this typically manifests through misuse of SqlCommand with string concatenation instead of SqlParameter objects, or through ORM query construction vulnerabilities. The network attack vector suggests the injection point is exposed through web service endpoints or web application interfaces accessible without authentication.
RemediationAI
Organizations running EasyFlow .NET must immediately contact Digiwin Software technical support to obtain the latest security patch and upgrade guidance, referencing Taiwan CERT advisories at https://www.twcert.org.tw/tw/cp-132-10831-a734d-1.html and https://www.twcert.org.tw/en/cp-139-10832-05f3a-2.html for tracking details. Specific patched version numbers have not been published in available intelligence sources at time of analysis. Until vendor patches can be applied, implement network-level compensating controls: restrict EasyFlow .NET web interfaces to authenticated internal networks only through firewall rules or VPN access requirements, eliminating direct Internet exposure (note this reduces attack surface but does not eliminate risk from authenticated insiders or compromised internal systems). Deploy web application firewall (WAF) rules with SQL injection signature detection in blocking mode on all routes to EasyFlow endpoints, understanding this provides defense-in-depth but may be bypassed by sophisticated attackers using encoding or alternative syntax. Review application logs immediately for suspicious SQL-related error messages, unusual database query patterns, or unauthorized data access attempts that may indicate prior exploitation. For database defense, ensure EasyFlow application database accounts operate with minimum necessary privileges (avoid sa/dbo roles), enable database audit logging for all schema changes and bulk data exports, and verify database backups are current and stored offline. Coordinate patching during planned maintenance windows given the system's likely integration with critical business workflows.
More in Easyflow Net
View allSQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands agains
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifi
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately fi
Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers t
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23797
GHSA-q2rh-xrfv-8x3m