Executive Summary
Comprehensive remediation efforts were conducted to address SQL injection and command injection vulnerabilities throughout Netwrix Endpoint Protector (formerly CoSoSys Endpoint Protector). These vulnerabilities could allow an authenticated or unauthenticated attacker to execute arbitrary SQL commands, potentially leading to unauthorized data access, data manipulation, privilege escalation or remote code execution. A related vulnerability (CVE-2025-59796), reported by a security researcher, was also remediated as part of these efforts.
In addition to these remediation efforts, the Endpoint Protector server application has been upgraded from PHP version 5.2.17 to PHP 5.6.40 with extended end-of-life support offering backported security fixes. Associated package dependencies such as libcurl, OpenSSL and MySQL have also been updated to include security fixes.
Users of Netwrix Endpoint Protector are advised to update to the latest version immediately. Netwrix is unaware of any evidence of active exploitation of these vulnerabilities.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Dependency on Vulnerable Third-Party Components | Endpoint Protector Server | <=5.9.4.3 | 10.0 | 9.8 / 9.1 | The Endpoint Protector server application uses an out-of-date PHP version that could allow an attacker to bypass security controls, access data without authorization, or execute malicious code. In addition, related OS packages with known vulnerabilities, including libcurl, OpenSSL and MySQL, were updated. |
| Improper Neutralization of Special Elements used in an SQL Command (including CVE-2025-59796) | Endpoint Protector Server | <=5.9.4.3 | 9.3 | 9.8 / 8.8 | Multiple instances of insufficient SQL query sanitization were identified across the application that could allow authenticated attackers to execute arbitrary SQL commands, leading to unauthorized data access, modification of application data, or privilege escalation. |
| Improper Neutralization of Special Elements used in an OS Command | Endpoint Protector Server | <=5.9.4.3 | 9.3 | 9.8 / 8.8 | Multiple instances of insufficient shell command sanitization were identified across the application that could potentially allow authenticated attackers to execute arbitrary shell commands, leading to arbitrary code execution or unauthorized data access. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Dependency on Vulnerable Third-Party Components | Yes | Yes | Yes |
| Improper Neutralization of Special Elements used in an SQL Command (CVE-2025-59796) | Yes | No | No |
| Improper Neutralization of Special Elements used in an OS Command | No | No | No |
Solution
All Netwrix Endpoint Protector customers are advised to update Endpoint Protector to version 2509.0.1.0 or later as soon as possible.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for the vulnerabilities as indicated in the table below.
| Product | Release Version |
|---|---|
| Netwrix Endpoint Protector | 2509.0.1.0 |
FAQ
-
How do I determine the version of Netwrix Endpoint Protector is in use?
The Netwrix Endpoint Protector server version number can be seen in the lower-right corner of the application window.
-
Are there any configuration changes required after updating?
No additional configuration changes are required. The fixes are automatically applied upon updating to the remediated version.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 3 | 2025-11-05T18:11:00Z | Updated version determination. |
| 2 | 2025-11-05T17:21:00Z | Updated FAQ |
| 1 | 2025-10-28T12:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.