CVE-2025-56385 Wellsky Harmony SQL Injection

Written By Nick Berrie

Background

A SQL injection vulnerability has been identified in WellSky Harmony v4.1.0.2.83 affecting the xmHarmony.asp login endpoint. WellSky Harmony is used for healthcare and related administrative workflows. User-supplied input to a login parameter is not properly sanitized before being incorporated into a SQL query. Successful exploitation could enable authentication bypass, disclosure of sensitive data, or full compromise of backend database contents. The product is reported to be End-Of-Life/End-Of-Support (EOL/EOS); vendor remediation may not be available

Vulnerability

The vulnerability exists in the login workflow of WellSky Harmony in which input provided to the TXTUSERID field of the xmHarmony.asp endpoint is incorporated directly into a backend SQL query without proper sanitization or parameterization. Because this page is typically accessed before any form of authentication occurs, a remote attacker can interact with it simply by sending crafted HTTP requests to the login interface.

By supplying SQL control characters or expressions within the TXTUSERID parameter, an attacker may alter the intended database query. This can result in bypassing normal authentication procedures, allowing the attacker to gain access to application functionality or impersonate valid users. Where the underlying database account has sufficient privileges, the attacker may also be able to retrieve sensitive information, such as user records, system configuration values, or stored personally identifiable information, modify or delete data, or in severe cases, achieve full compromise of the backend database instance.

Signs of possible exploitation include unexpected log entries where requests to xmHarmony.asp contain single quotes, comment sequences, statement terminators, UNION operators, or similar SQL metacharacters, including their URL-encoded equivalents. In addition, application logs may show SQL syntax errors or unusual database response delays, particularly where time-based injection techniques are used to extract data without returning visible error messages.

Recommendations

Because the product is already EOL:

  • Restrict network access to Harmony. Remove public internet exposure; enforce VPN or management-network access only.

  • Implement a Web Application Firewall. Use a WAF or reverse proxy to block requests to xmHarmony.asp that contain SQL metacharacters or suspicious patterns. Prefer positive whitelisting for TXTUSERID where feasible (strict regex for allowed characters/length).

  • Harden monitoring. Increase logging for web and database access, enable alerts for SQL errors and anomalous login activity.

  • Reduce DB privileges and monitor. Ensure the application database account operates with least privilege and monitor for suspicious activities.

  • Migrate off the EOL product to a supported platform where viable.

  • If a vendor patch becomes available, apply updates promptly and verify in a test environment.

Nick Berrie
Next

Multiple Vulnerabilities Identified in CentralSquare eTRAKiT and IVR Components