Critical SQL Injection in TitanTransfer MFT (CVE-2025-29803)

August 12, 2025
Scott Wu

A high-severity second-order SQL injection vulnerability has been discovered in the TitanTransfer Managed File Transfer (MFT) solution. This flaw, tracked as CVE-2025-29803 and nicknamed “Data Taint,” allows a low-privileged user to gain full control over the application’s database, leading to a complete system compromise. It has a CVSS score of 8.8 (High).

TL;DR:

  • What: A second-order SQL injection vulnerability that allows a low-privilege user to execute arbitrary SQL commands.
  • Affected Software: TitanTransfer versions 5.2.0 through 6.1.3.
  • Impact: An attacker can exfiltrate all data, steal user credentials, and potentially gain control of the underlying server.
  • Action: Update to version 6.1.4 or newer immediately. You must also audit your user database for malicious payloads.

What is TitanTransfer?

TitanTransfer is an enterprise-grade Managed File Transfer (MFT) solution used by corporations to securely automate, manage, and monitor sensitive data transfers between systems and people. It often serves as a central hub for critical business files.

The “Data Taint” Vulnerability Explained

Unlike a standard SQL injection, a second-order SQL injection is a two-step attack. The malicious input isn’t immediately executed. Instead, it’s safely stored in the database first, only to be used unsafely later in a different context. It’s like a data time bomb.

The Attack Flow:

  1. Injection: An attacker with a low-privilege account logs into TitanTransfer. They go to their user profile and set their “Full Name” to a malicious SQL payload. For example: Alice' UNION SELECT username, password_hash, '1' FROM system_users--
  2. Storage: The application safely saves this string to the users table in the database. No harm is done at this stage.
  3. Execution: Later, an administrator logs in and views a page that generates audit logs, such as the “User Activity Report.” To build this report, the application fetches the “Full Name” from the database and includes it in a new, different SQL query without proper sanitization.
  4. Trigger: The unsafe query is executed, the attacker’s payload triggers, and the results—containing all system usernames and password hashes—are displayed in the report generated for the administrator.

The vulnerable code that triggers the payload might look something like this:

SQL

// Vulnerable query in the audit log generator
String userName = user.getFullNameFromDB(); // Fetches the tainted name: "Alice' UNION SELECT..."
String query = "SELECT action, timestamp, ip_address FROM audit_logs WHERE user_name = '" + userName + "'";
// The query becomes injectable, as the tainted userName is concatenated directly.
db.execute(query);

This subtle attack vector is often missed by automated scanners because the initial data insertion appears safe.

Impact and Remediation

The impact of this vulnerability is severe. An attacker can use this flaw to:

  • Read the entire contents of the application database.
  • Exfiltrate all files managed by the TitanTransfer system by accessing file metadata and paths.
  • Steal administrator and user credential hashes, leading to account takeovers.
  • Potentially achieve Remote Code Execution (RCE) if the database has sufficient privileges to interact with the operating system.

Are you affected? You are vulnerable if you are using any version of TitanTransfer from 5.2.0 through 6.1.3.

How to Fix It: The TitanTransfer team has issued a security update that ensures all data retrieved from the database is properly sanitized before being used in subsequent queries.

  1. Apply the Update: The highest priority is to update your TitanTransfer instance to version 6.1.4 or newer by downloading the patch from the customer support portal.
  2. Audit Existing Data (Crucial): Because malicious data may already be stored in your database, you must manually inspect user profile fields (like full_name, department, etc.) for any suspicious SQL syntax. Remove any malicious entries found.
  3. Rotate Credentials: As a best practice after a database security incident, rotate all database user passwords and application secrets.

Resources and Citations

  • Official TitanTransfer Security Portal: https://support.titantransfer.com/security/advisories/TT-2025-08-12-1
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-29803
  • Discoverer’s Technical Blog: A detailed analysis has been published by the Dutch security firm Fox-IT: https://www.fox-it.com/en/blog/second-order-sqli-in-titantransfer/
profile picture

Video

Deep Research

Canvas

Image

  • General