What is CVE-2025-1156?

A medium-severity SQL injection vulnerability has been identified in Pix Software Vivaz 6.0.10. Remote attackers can exploit this flaw to manipulate database queries. Organizations should address this in their patch cycle.

What is the severity of CVE-2025-1156?

CVE-2025-1156 has a severity rating of MEDIUM with a CVSS base score of 6.9.

CVE-2025-1156 | Medium Vulnerability in Pix Software Vivaz

A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability allows an attacker to exploit unknown code in the file /servlet?act=login. The manipulation of the argument usuario leads to SQL injection, which can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

With a CVSS score of 6.9, this vulnerability is categorized as medium severity. Organizations should prioritize patching to mitigate potential risks associated with exploitation. SQL injection vulnerabilities can lead to unauthorized access, data leakage, and database manipulation, posing significant risks to data integrity.

Currently, there are no known exploits confirmed in the wild, but the potential for exploitation remains a concern. Organizations using Pix Software Vivaz should take this vulnerability seriously, as attackers may look to leverage it for malicious purposes.

Organizations should address this vulnerability in their priority patch cycle to avoid exposure to possible remote attacks through SQL injection.

Vulnerability Details

The vulnerability has been classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-89 (SQL Injection). It affects Pix Software Vivaz version 6.0.10, and the vulnerability was published on February 10, 2025. Although the vendor has been notified, no response has been received regarding this issue.

Technical Analysis

The root cause of this vulnerability lies in the inadequate sanitization of user inputs within the login servlet. Attackers can exploit this by manipulating the 'usuario' parameter to inject SQL commands, potentially gaining unauthorized access to the underlying database.

The attack vector is network-based, and it has low complexity, requiring no privileges or user interaction. It is important to note that the confidentiality, integrity, and availability impacts are all categorized as low.

Risk & Impact Analysis

Risk to organizations includes potential unauthorized access to sensitive data and manipulation of database entries. The exposure to SQL injection attacks significantly increases the likelihood of data breaches, particularly in environments that do not implement adequate input validation and security measures.

Considering the CVSS score and the potential blast radius, organizations should address this vulnerability in their patch cycle. The risk posed by this vulnerability underscores the importance of implementing robust security practices such as input validation, parameterized queries, and regular security assessments.

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

This vulnerability affects Pix Software Vivaz version 6.0.10. All versions prior to vendor patch are vulnerable.

Mitigation & Remediation

Organizations should promptly apply patches as they become available. If a patch is not yet available, consider implementing configuration hardening to limit exposure. Regular security assessments, including penetration testing and continuous monitoring can help identify vulnerabilities before they are exploited.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual patterns related to SQL queries. Behavioral anomalies and unexpected database activity should be investigated promptly.

AppSecure Threat Intelligence Insight

This vulnerability highlights the ongoing challenges associated with SQL injection attacks. Security teams must remain vigilant and proactive in their defenses. To enhance security posture, organizations should invest in effective vulnerability management programs and prioritize regular training for developers on secure coding practices. Additionally, understanding the landscape of common vulnerabilities can aid in identifying and mitigating potential risks.

For further insights, organizations should consider reviewing best practices in penetration testing methodology to ensure comprehensive coverage against such vulnerabilities.

By maintaining a proactive approach, organizations can mitigate the risks associated with SQL injection vulnerabilities and enhance their overall security posture.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-1156: Medium Vulnerability in Pix Software Vivaz