CVE-2025-8868
Chef Automate compliance service SQL Injection Vulnerability
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- August 11, 2025
- Published Date
- September 29, 2025
- Last Updated
- September 29, 2025
- Vendor
- Progress Software
- Product
- Chef Automate
- Description
- In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
- Tags
- Exploitation
- none
- Automatable
- Yes
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-10-27 14:10:46 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v3.1
9.8 - CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SSVC Information
Exploit Status
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-10-27 14:10:46 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-8868.yaml | 2026-06-01 15:34:43 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei