OPEXUS FOIAXpress PAL CVE-2025-58462 SQL Injection: Brief Summary and Technical Details

A brief summary of CVE-2025-58462, a critical SQL injection vulnerability in OPEXUS FOIAXpress Public Access Link (PAL) before version 11.13.1.0. This post outlines affected versions, technical details, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

OPEXUS FOIAXpress PAL CVE-2025-58462 SQL Injection: Brief Summary and Technical Details
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Sensitive government records and FOIA request data can be exposed or destroyed by exploiting a critical flaw in OPEXUS FOIAXpress Public Access Link (PAL) prior to version 11.13.1.0. This SQL injection vulnerability (CVE-2025-58462) allows remote, unauthenticated attackers to manipulate the backend database via the SearchPopularDocs.aspx endpoint, with a CVSS score of 9.8 reflecting the severity of potential impact.

About OPEXUS FOIAXpress and PAL: OPEXUS is a US-based government contractor whose FOIAXpress suite is used by federal, state, and local agencies for managing Freedom of Information Act (FOIA) requests. The Public Access Link (PAL) is the web-facing portal for public FOIA submissions and document searches, making it a critical component for government transparency and compliance. The platform is widely deployed across US government agencies, handling high volumes of sensitive requests and records.

Technical Information

CVE-2025-58462 is a SQL injection vulnerability in the SearchPopularDocs.aspx endpoint of FOIAXpress PAL. The root cause is insufficient input validation and the absence of parameterized queries, which allows user-supplied input to be directly concatenated into SQL statements. This enables attackers to inject arbitrary SQL code through crafted requests to the vulnerable endpoint.

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Because the endpoint is accessible without authentication, any remote attacker can target it. The endpoint is believed to handle search queries for public documents, making it a frequent target and increasing the risk of exploitation.

Technical impact:

  • Attackers can read, modify, or delete any data in the backend database.
  • The vulnerability does not require authentication, so exploitation can be performed by any external user.
  • The attack surface is exposed to the internet due to the public-facing nature of the PAL portal.

No public code snippets or exploit payloads are available in the referenced sources. The issue is confirmed to be due to improper input handling in the affected endpoint.

Affected Systems and Versions

  • Product: OPEXUS FOIAXpress Public Access Link (PAL)
  • Affected versions: All versions prior to 11.13.1.0
  • Vulnerable endpoint: SearchPopularDocs.aspx
  • The vulnerability exists in default configurations of affected versions

Vendor Security History

OPEXUS has previously addressed multiple security issues in FOIAXpress, including SQL injection vulnerabilities in version 11.4.0 (see release notes). In February 2025, a major insider breach resulted in deletion of 33 federal databases and theft of sensitive files, exposing gaps in hiring and access control. The vendor documents security fixes in release notes and has a history of responding to vulnerabilities, but recent events highlight ongoing challenges in security governance and operational controls.

References

Detect & fix
what others miss