Overview of Vulnerability
Vulnerability Type: SQL Injection
Date Reported: March 10, 2025
Status: Resolved and Patched
Disclosure Method: Responsible Disclosure by Searchlight Cyber/Asset Note
Versions containing resolution
Stable
2.174.94 (or any version that begins with 2.174 and ends with a number greater than 94 – for example 2.174.103)
Candidate
2.184.23 (or any version that begins with 2.184 and ends with a number greater than 23 – for example 2.184.35)
Beta
2.186.2 (or any version that begins with 2 and is followed by a number greater than 186 – for example 2.187.1)
Scope and Root Cause Analysis
The vulnerability allowed SQL injection on an unauthenticated endpoint via a specially crafted payload. A complete root cause analysis has been conducted, identifying that the vulnerability was introduced in version 2.11.13, released on 2020-06-12. Despite undergoing multiple internal and third-party penetration assessments, the issue persisted undetected due to the complex nature of the payload required. This significantly reduced the possibility of exploit or data compromise.
It is worth mentioning that this vulnerability was introduced in 2020 and our internal development practices have significantly improved since. In addition, no further vulnerabilities of this type have been discovered as part of the research.
Data Exposure and Impact
Discovery and Remediation Timeline
- Date Introduced: 2020-06-12 (v2.11.13)
- Date Reported: 2025-03-10
- Patch Deployed: Same day for all hosted customers (2025-03-10)
- Response Time: Immediate patch deployment upon notification
Searchlight Cyber/Asset Note published their findings on earlier than we anticipated which left some on-premise customers exposed for a short period of time.
We have assisted a number of these customers with investigations to find evidence of compromise or exploit but have so far found none.
Frequency and Coverage
We conduct full Authentication and API penetration tests annually through a CREST-accredited third-party security firm to ensure independent, high-quality assessments. In addition to these external reviews, internal penetration tests are performed before each quarterly stable release, enabling us to identify and address potential vulnerabilities proactively within our development cycle.
Testing Methodology
Our penetration testing process includes both authenticated and unauthenticated testing to ensure thorough coverage across all access levels. These assessments are carried out by a combination of internal security teams and external specialists, providing a well-rounded evaluation of our systems from multiple perspectives.
Last Security Assessment (Penetration Test)
A comprehensive penetration test was completed on January 10th, 2025. The management summary from the report is available and can be shared upon request for further transparency.
Coding Standards and Developer Training
All developers at Halo are trained in secure coding standards and follow industry-recognized best practices, including those outlined by OWASP. This training is refreshed periodically to ensure alignment with the latest threats and mitigation techniques.
Code Review & Automation
All code changes undergo a rigorous multi-step approval process that includes review by a senior member of the security team, who is specifically responsible for evaluating potential security risks. In addition, we employ Static Application Security Testing (SAST) tools throughout the development process, enabling early detection of vulnerabilities and promoting secure coding practices from the outset.
Attack Surface Management
While the number of API endpoints cannot be reduced due to essential functional requirements—such as the need to accept webhook responses—our focus remains on maintaining and continuously strengthening our overall security posture. We have already been conducting rigorous assessments of unauthenticated endpoints as part of our regular security practices, which is why, despite the presence of multiple unauthenticated endpoints, the recent review did not identify any additional vulnerabilities. These endpoints are carefully evaluated, monitored, and only used when absolutely necessary to minimize risk.
Infrastructure Segmentation
In our hosted environments, functional separation is enforced across key components—including the API, authentication, and integration services—to reduce the risk of lateral movement in the event of a compromise. Furthermore, databases and database servers are isolated from application layers, and all encrypted data is only decrypted by the API and authentication services, ensuring a strong boundary between data storage and access mechanisms.
Effectiveness Validation
To strengthen our overall security posture, we are engaging multiple third-party security firms to provide additional oversight and independent validation of our systems. In parallel, we are expanding and enhancing our internal security checks to ensure greater coverage, deeper analysis, and continuous improvement across all phases of development and deployment.
Security Communication
We acknowledge that some customers became aware of this vulnerability through a third-party security research publication, prior to receiving direct communication from Halo. This was due in part to the unexpected timing of the external report’s release, which occurred while we were still actively supporting on-premise customers with their upgrade process.
We recognize the importance of proactive and timely communication and have since taken steps to improve our internal procedures. Going forward, we will ensure that all hosted customers are notified promptly once a patch has been applied, regardless of the status of on-premise rollouts.
