Skip to content

CVE-2025-1094 Security Review Report for SSM 2.18

Created by: SungHwan Kim (sunghwan.k@hanwha.com)
Created time: April 2025
Last edited time: September 2025
Product Category: SSM
Resolution Status: Done
ZD KB Article URL: here

1. Overview

This report presents a security review of the CVE-2025-1094 vulnerability, which affects the PostgreSQL 13.2 version currently used in SSM 2.18.

The purpose of this document is to evaluate the potential impact of this vulnerability on the SSM 2.18 operational environment and to assess the actual risk level. Recommendations for security measures are also provided, where applicable.

2. Vulnerability Analysis: CVE-2025-1094

  • Description: CVE-2025-1094 is an SQL injection vulnerability found in specific PostgreSQL functionalities. It stems from a flaw in how PostgreSQL handles string escaping. A malicious user could exploit this issue via the psql> prompt by injecting and executing specially crafted SQL strings.
  • Affected Versions:
    • PostgreSQL versions prior to:
      • 17.3
      • 16.7
      • 15.11
      • 14.16
      • 13.19

3. SSM Environment Assessment

  • PostgreSQL Version:
    • SSM 2.18 (or earlier versions) utilizes PostgreSQL version 13.2, which predates version 13.19.
  • Remote Access Restrictions:
    • Remote connections to the database port are blocked in the SSM 2.18 environment.
    • Access to the psql> prompt is only available from the locally installed device (PC), preventing external remote exploitation.
  • Functionality Limitations:
    • SSM 2.18 does not provide any features that allow users to manipulate SQL queries or access the psql> prompt via the application interface.

4. Risk Evaluation

  • Low Impact Assessment:
    • Due to the inability to access the PostgreSQL prompt remotely and the absence of exploitable features in the system, the actual risk posed by CVE-2025-1094 is assessed to be low in the current SSM 2.18 (or earlier) operational environment.

5. Mitigation & Recommendations

  • Planned Update:
    • No immediate action is required due to the low risk level.
    • An update to a secure PostgreSQL version (from 13.2 to 13.20) is planned in a future release of SSM 2.19 (July 2025).