cbcvebase.
CVE-2025-8868
published 2025-09-29

CVE-2025-8868: In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted…

PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.83%
97.4th percentile
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.

Affected

3 ranges
VendorProductVersion rangeFixed in
chefautomate< 4.13.2954.13.295
chefautomate20180319150121 – 20220329091442
progress_softwarechef_automate< 4.13.2954.13.295

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v0/compliance/profiles/search HTTP/1.1
command{"filters": [{"type": "name'", "values": ["test"]}]}
  • Detect exploitation attempts by monitoring POST requests to /api/v0/compliance/profiles/search containing a single-quote in the 'type' filter field (e.g., "type": "name'"), which triggers the SQL injection payload.
  • Alert on the presence of the well-known static token '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506' in the x-data-collector-token HTTP header, as this is the token used to authenticate the SQL injection attack.
  • A server response with HTTP 500 status code and body containing 'pq: syntax error' on the /api/v0/compliance/profiles/search endpoint is a strong indicator of successful SQL injection triggering.
  • Scope detection to Linux x86 Chef Automate instances; the vulnerability is platform-specific and only affects versions earlier than 4.13.295.
  • ·The CVSS score of 9.8 (PR:N) conflicts with the vulnerability description which states the attacker must be authenticated. The attack leverages a 'well-known token' (the static x-data-collector-token value), which may lower the effective privilege barrier but is not truly unauthenticated.
  • ·The static token '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506' is described as a 'well-known token', meaning it is publicly known and hardcoded/default — any Chef Automate instance prior to 4.13.295 on Linux x86 may accept it.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.