Answer Brief
TWCERT/CC published a Taiwan Vulnerability Note for two critical SQL injection vulnerabilities affecting Digiwin’s EasyFlow.NET workflow platform. Both issues are rated CVSS 9.8 and allow unauthenticated remote attackers to inject arbitrary SQL, potentially enabling database read, modification, and deletion. Organizations running affected EasyFlow.NET versions are advised by TWCERT/CC to upgrade to specified fixed releases or apply patches dated 2026-01-20.
Executive Summary: TWCERT/CC published a Taiwan Vulnerability Note for two critical SQL injection vulnerabilities affecting Digiwin’s EasyFlow.NET workflow platform. Both issues are rated CVSS 9.8 and allow unauthenticated remote attackers to inject arbitrary SQL, potentially enabling database read, modification, and deletion. Organizations running affected EasyFlow.NET versions are advised by TWCERT/CC to upgrade to specified fixed releases or apply patches dated 2026-01-20.
Why It Matters
TWCERT/CC’s advisory flags two separate SQL injection vulnerabilities in Digiwin’s EasyFlow.NET product line, both scored at the maximum “critical” level commonly associated with straightforward, unauthenticated exploitation over the network. The advisory states that an unauthenticated remote attacker can inject arbitrary SQL statements, which can lead to reading, modifying, or deleting database contents.
Why this matters beyond Taiwan: EasyFlow.NET is positioned as an enterprise workflow/BPM system; these systems often sit at the junction of identity, approvals, and business processes, and they typically maintain high-value data (forms, requests, internal records) in back-end databases. SQL injection in such a platform can become a direct path to broad data exposure or destructive integrity/availability impacts. Even when exploitation is “only” database-level per the advisory, the downstream effects can extend into audit trails, process control, and operational continuity—concerns shared by global security, cloud, and infrastructure risk teams.
The impacted version ranges listed by TWCERT/CC suggest that multiple major branches are affected. Remediation guidance is version-specific: CVE-2026-5963 requires upgrading to EasyFlow.NET v8.1.5 or later (or applying a patch updated to the 2026-01-20 level), while CVE-2026-5964 requires upgrading to v8.1.3 or later (or the same patch level). The vulnerabilities were reported by MksYi of CHT Security, per the advisory.
Unknowns based on the source: TWCERT/CC does not provide exploit details, affected endpoints/parameters, or evidence of active exploitation in the notice text provided. Organizations should treat the risk as urgent due to the unauthenticated, network-exposed nature and the stated impact on database confidentiality, integrity, and availability.
Event Type: security
Importance: high
Affected Companies
- Digiwin (鼎新數智)
Affected Sectors
- Cybersecurity
- Enterprise Software
- IT Operations
- Workflow / BPM
Key Numbers
- TVN ID: TVN-202604006
- CVE-2026-5963 CVSS: 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CVE-2026-5964 CVSS: 9.8 (Critical) — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Public disclosure date (TWCERT/CC): 2026-04-20
- Patch date referenced by TWCERT/CC: 2026-01-20
Timeline
- TWCERT/CC references a patch level dated 2026-01-20 as a remediation option for both CVEs.
- TWCERT/CC publishes TVN-202604006 covering CVE-2026-5963 and CVE-2026-5964 affecting Digiwin EasyFlow.NET.