Y-Security discovered multiple vulnerabilities affecting the TIM BPM Suite / TIM FLOW software by TIM Solutions GmbH. Affected versions include at least < 9.1.2.
| Type of Issue | CVE | CVSS |
|---|---|---|
| Incorrect Access Control | CVE-2025-67278 | Critical – 10.0 |
| Use of a Broken or Risky Cryptographic Algorithm | CVE-2025-67279 | High – 7.5 |
| HQL Injection | CVE-2025-67280 | High – 8.6 |
| SQL Injection | CVE-2025-67281 | High – 7.7 |
| Incorrect Access Control | CVE-2025-67282 | High – 8.3 |
Summary
TIM BPM Suite / TIM FLOW is a web-based platform for digital modelling, automation and optimization of business processes. The application enables workflows to be designed efficiently, tasks to be coordinated and processes to be documented and executed in an audit-proof manner. It uses both user interfaces for process participants and interfaces for integration into existing IT systems.
The Incorrect Access Control (CVE-2025-67278) vulnerability allows a remote attacker to escalate privileges via crafted HTTP requests from unauthenticated to an authenticated service user. This access can then be used in combination to exploit further vulnerabilities in the application.
The Use of a Broken or Risky Cryptographic Algorithm (CVE-2025-67279) vulnerability allows a remote attacker to gain access to password hashes using none or weak hashing algorithms.
The HQL Injection (CVE-2025-67280) vulnerabilities allow a low privileged user to extract passwords of other users and access sensitive data of other user.
The SQL Injection (CVE-2025-67281) vulnerabilities allow a low privileged and administrative user to access the database and its content.
The Incorrect Access Control (CVE-2025-67282) vulnerabilities allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user.
Mitigation & Recommendation
The vendor mentioned in its Release page that the identified vulnerabilities have been remediated. As of now, the implemented security measurements have not been verified by Y-Security.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the OWASP Cheat Sheet Series, such as the SQL Injection Prevention Cheat Sheet, Authorization Cheat Sheet and Password Storage Cheat Sheet.
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerabilities.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 18.08.2025 | Y-Security discovered security vulnerability & communicated to client and vendor |
| 18.09.2025 | Silent fix by vendor |
| 04.11.2025 | Verification if silent fix implements reported vulnerabilities |
| 05.11.2025 | Vendor confirmed silent fix |
| 16.12.2025 | CVEs assigned |
| 09.01.2026 | Y-Security disclosed vulnerabilities after 90 day period |
Author
Christian Becker
christian@y-security.de
Y-Security GmbH
09. January 2026