Introduction
Sensitive government records and FOIA request data can be exposed or destroyed by exploiting a critical flaw in OPEXUS FOIAXpress Public Access Link (PAL) prior to version 11.13.1.0. This SQL injection vulnerability (CVE-2025-58462) allows remote, unauthenticated attackers to manipulate the backend database via the SearchPopularDocs.aspx endpoint, with a CVSS score of 9.8 reflecting the severity of potential impact.
About OPEXUS FOIAXpress and PAL: OPEXUS is a US-based government contractor whose FOIAXpress suite is used by federal, state, and local agencies for managing Freedom of Information Act (FOIA) requests. The Public Access Link (PAL) is the web-facing portal for public FOIA submissions and document searches, making it a critical component for government transparency and compliance. The platform is widely deployed across US government agencies, handling high volumes of sensitive requests and records.
Technical Information
CVE-2025-58462 is a SQL injection vulnerability in the SearchPopularDocs.aspx endpoint of FOIAXpress PAL. The root cause is insufficient input validation and the absence of parameterized queries, which allows user-supplied input to be directly concatenated into SQL statements. This enables attackers to inject arbitrary SQL code through crafted requests to the vulnerable endpoint.
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Because the endpoint is accessible without authentication, any remote attacker can target it. The endpoint is believed to handle search queries for public documents, making it a frequent target and increasing the risk of exploitation.
Technical impact:
- Attackers can read, modify, or delete any data in the backend database.
- The vulnerability does not require authentication, so exploitation can be performed by any external user.
- The attack surface is exposed to the internet due to the public-facing nature of the PAL portal.
No public code snippets or exploit payloads are available in the referenced sources. The issue is confirmed to be due to improper input handling in the affected endpoint.
Affected Systems and Versions
- Product: OPEXUS FOIAXpress Public Access Link (PAL)
- Affected versions: All versions prior to 11.13.1.0
- Vulnerable endpoint: SearchPopularDocs.aspx
- The vulnerability exists in default configurations of affected versions
Vendor Security History
OPEXUS has previously addressed multiple security issues in FOIAXpress, including SQL injection vulnerabilities in version 11.4.0 (see release notes). In February 2025, a major insider breach resulted in deletion of 33 federal databases and theft of sensitive files, exposing gaps in hiring and access control. The vendor documents security fixes in release notes and has a history of responding to vulnerabilities, but recent events highlight ongoing challenges in security governance and operational controls.