📄 Description (English)
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through 13092025.
🤖 AI Executive Summary
CVE-2025-9986 is a high-severity information disclosure vulnerability (CVSS 8.2) in DIGIKENT by Vadi Corporate Information Systems that exposes sensitive system information to unauthorized parties. The vulnerability affects DIGIKENT versions through September 13, 2025, and could enable attackers to gain critical insights into system architecture and configuration. While no public exploit is currently available, the high CVSS score and information disclosure nature make this a significant risk requiring immediate patching.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 20:19
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government entities, particularly those using DIGIKENT for corporate information management. Government agencies under NCA oversight, banking sector organizations managing sensitive financial data, and healthcare institutions storing patient information are at elevated risk. The exposure of system information could facilitate reconnaissance for follow-up attacks targeting critical infrastructure. Saudi organizations in the energy sector and telecommunications industry using DIGIKENT for administrative functions are also vulnerable to competitive intelligence gathering and system compromise.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Energy
Telecommunications
Education
Finance
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE ACTIONS:
- Identify all DIGIKENT installations in your environment and document versions
- Isolate or restrict network access to DIGIKENT systems from untrusted networks
- Review access logs for unauthorized information disclosure attempts
- Notify all stakeholders of the vulnerability and patch timeline
2. PATCHING GUIDANCE:
- Apply the latest DIGIKENT patch immediately (versions after September 13, 2025)
- Test patches in a non-production environment first
- Schedule maintenance windows for production deployment
- Verify patch application and system functionality post-deployment
3. COMPENSATING CONTROLS:
- Implement network segmentation to restrict DIGIKENT access
- Deploy Web Application Firewall (WAF) rules to block information disclosure attempts
- Enable enhanced logging and monitoring for DIGIKENT system access
- Implement strict access controls and authentication mechanisms
4. DETECTION RULES:
- Monitor for unusual information requests to DIGIKENT endpoints
- Alert on access to system configuration or metadata endpoints
- Track failed authentication attempts and privilege escalation attempts
- Monitor for data exfiltration patterns from DIGIKENT systems
🔧 خطوات المعالجة (العربية)
1. الإجراءات الفورية:
- تحديد جميع تثبيتات DIGIKENT في بيئتك وتوثيق الإصدارات
- عزل أو تقييد الوصول الشبكي لأنظمة DIGIKENT من الشبكات غير الموثوقة
- مراجعة سجلات الوصول لمحاولات الكشف غير المصرح عن المعلومات
- إخطار جميع أصحاب المصلحة بالثغرة والجدول الزمني للتصحيح
2. إرشادات التصحيح:
- تطبيق أحدث تصحيح DIGIKENT فوراً (الإصدارات بعد 13 سبتمبر 2025)
- اختبار التصحيحات في بيئة غير إنتاجية أولاً
- جدولة نوافذ الصيانة لنشر الإنتاج
- التحقق من تطبيق التصحيح وعمل النظام بعد النشر
3. الضوابط البديلة:
- تنفيذ تقسيم الشبكة لتقييد الوصول إلى DIGIKENT
- نشر قواعد جدار حماية تطبيقات الويب لحظر محاولات الكشف عن المعلومات
- تفعيل السجلات والمراقبة المحسنة لوصول نظام DIGIKENT
- تنفيذ ضوابط وصول صارمة وآليات المصادقة
4. قواعد الكشف:
- مراقبة طلبات المعلومات غير العادية لنقاط نهاية DIGIKENT
- التنبيه على الوصول إلى نقاط نهاية تكوين النظام أو البيانات الوصفية
- تتبع محاولات المصادقة الفاشلة ومحاولات تصعيد الامتيازات
- مراقبة أنماط تسرب البيانات من أنظمة DIGIKENT
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.7.1.1 - Cryptography and Data Protection
A.8.1.1 - Asset Management
A.12.4.1 - Event Logging and Monitoring
🔵 SAMA CSF
ID.AM-2: Software Inventory
PR.AC-1: Access Control Policy
PR.DS-1: Data Security Policy
DE.CM-1: System Monitoring
DE.CM-3: Unauthorized Software Detection
🟡 ISO 27001:2022
A.5.1 - Management Direction
A.6.1 - Internal Organization
A.8.1 - Asset Responsibility
A.9.1 - Access Control Policy
A.12.4 - Logging
🟣 PCI DSS v4.0.1
Requirement 2.1 - Configuration Standards
Requirement 6.2 - Security Patches
Requirement 10.2 - Logging and Monitoring
🔗 References & Sources 1