CVE-2020-26525

CRITICAL

Damstra Smart Asset <2020.7 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-26525. PoCs published by lukaszstu.

AI-analyzed exploit summary This PoC demonstrates SQL injection in Damstra Smart Asset 2020.7 via the API/api/Asset originator parameter, using xp_dirtree for DNS exfiltration. The request triggers a DNS lookup to a remote server, confirming the vulnerability.

Description

Damstra Smart Asset 2020.7 has SQL injection via the API/api/Asset originator parameter. This allows forcing the database and server to initiate remote connections to third party DNS servers.

Exploits (1)

nomisec WORKING POC 1 stars
by lukaszstu · poc
https://github.com/lukaszstu/SmartAsset-SQLinj-CVE-2020-26525

This PoC demonstrates SQL injection in Damstra Smart Asset 2020.7 via the API/api/Asset originator parameter, using xp_dirtree for DNS exfiltration. The request triggers a DNS lookup to a remote server, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Damstra Smart Asset 2020.7
Auth required
Prerequisites: Valid authentication token · Network access to the target API
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 9.1
EPSS 0.2550
EPSS Percentile 97.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE
CWE-89
Status published
Products (1)
damstratechnology/smart_asset 2020.7
Published Oct 02, 2020
Tracked Since Feb 18, 2026