CVE-2025-8868
published 2025-09-29CVE-2025-8868: In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.83%
97.4th percentile
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via
improperly neutralized inputs used in an SQL command using a well-known token.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chef | automate | < 4.13.295 | 4.13.295 |
| chef | automate | 20180319150121 – 20220329091442 | — |
| progress_software | chef_automate | < 4.13.295 | 4.13.295 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring POST requests to /api/v0/compliance/profiles/search containing a single-quote in the 'type' filter field (e.g., "type": "name'"), which triggers the SQL injection payload. ↗
- →Alert on the presence of the well-known static token '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506' in the x-data-collector-token HTTP header, as this is the token used to authenticate the SQL injection attack. ↗
- →A server response with HTTP 500 status code and body containing 'pq: syntax error' on the /api/v0/compliance/profiles/search endpoint is a strong indicator of successful SQL injection triggering. ↗
- →Scope detection to Linux x86 Chef Automate instances; the vulnerability is platform-specific and only affects versions earlier than 4.13.295. ↗
- ·The CVSS score of 9.8 (PR:N) conflicts with the vulnerability description which states the attacker must be authenticated. The attack leverages a 'well-known token' (the static x-data-collector-token value), which may lower the effective privilege barrier but is not truly unauthenticated. ↗
- ·The static token '93a49a4f2482c64126f7b6015e6b0f30284287ee4054ff8807fb63d9cbd1c506' is described as a 'well-known token', meaning it is publicly known and hardcoded/default — any Chef Automate instance prior to 4.13.295 on Linux x86 may accept it. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mh28-g8jv-r635: In Progress Chef Automate, versions earlier than 4
ghsa_unreviewed·2025-09-29
CVE-2025-8868 [CRITICAL] CWE-89 GHSA-mh28-g8jv-r635: In Progress Chef Automate, versions earlier than 4
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via
improperly neutralized inputs used in an SQL command using a well-known token.
VulnCheck
chef automate Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-8868 [CRITICAL] chef automate Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
chef automate Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via
improperly neutralized inputs used in an SQL command using a well-known token.
Affected: chef automate
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-8868; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-14&host_type=src&vulnerability=cve-2025-8868; https://dashboard.shadowser
No detection rules found.
Nuclei
Chef Automate < 4.13.295 — SQL Injection
nuclei·CVSS 8.8
CVE-2025-8868 [HIGH] Chef Automate < 4.13.295 — SQL Injection
Chef Automate < 4.13.295 — SQL Injection
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
Template:
id: CVE-2025-8868
info:
name: Chef Automate < 4.13.295 — SQL Injection
author: 3th1c_yuk1,xbow
severity: critical
description: |
In Progress Chef Automate, versions earlier than 4.13.295, on Linux x86 platform, an authenticated attacker can gain access to Chef Automate restricted functionality in the compliance service via improperly neutralized inputs used in an SQL command using a well-known token.
impact: |
Authenticated attackers with knowledge of a well-known t
No writeups or analysis indexed.
2025-09-29
Published
Exploited in the wild