Trust Center

Delinea is aware of the current situation in the Middle East and the associated escalation in cyber threat activity targeting technology sector infrastructure. Delinea does not own or operate data centers in the impacted regions but does deliver services via third-party cloud infrastructure providers that might be impacted based on the current threat landscape.

To date, Delinea services in the region have not been impacted, and we continue to actively monitor the situation. Further updates will be provided if and as soon as our impact assessment changes.

If you have further questions, please contact your Customer Success Manager, Engagement Manager, or Partner Manager. Please subscribe to the Delinea Trust Center for future security and other important announcements.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delinea Cloud Suite allows Argument Injection.

Affected Product and Version

Cloud Suite before 25.2 HF1

Resolution

Upgrade to Cloud Suite version 25.2 HF1 or later

CVE Details

• CVE ID: CVE-2026-2409
• Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• CWE: 89
• CVSS v4.0 Score: 9.3
• CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
• Credit: Jess Parker (Reporter), Radu Enachi (Reporter)
• References: Release Notes

Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.

If you're not using the latest Server Suite agents, this fix requires that you upgrade to Server Suite 2023.1 (agent 6.0.1) or later. If you cannot upgrade to Release 2023.1 (agent version 6.0.1) or later, you can choose one of the following versions: Server Suite release 2023.0.5 (agent version 6.0.0-158), or Server Suite release 2022.1.10 (agent version 5.9.1-337).

Affected Product and Version

Delinea Cloud Suite and Privileged Access Service version 25.1 HF4 and earlier

Resolution

Upgrade to version 25.1 HF5 or later

CVE Details

• CVE ID: CVE-2025-12811
• Published Date: Februrary 18, 2026
• Vulnerability Type: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
• CWE: 444
• CVSS v4.0 Score: 6.9
• CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.

Remediation: This issue is fixed in Cloud Suite: 25.1

Affected Product and Version

Delinea Cloud Suite and Privileged Access Service version 23.1.2 and earlier

Resolution

Upgrade to Cloud Suite version 25.1 or later

CVE Details

• CVE ID: CVE-2025-12812
• Published Date: February 18, 2026
• Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• CWE: 89
• CVSS v4.0 Score: 5.3
• CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

We are aware of a publicly available script that references Secret Server. This script does not exploit any new or active vulnerability within the product.  Instead, it attempts to decrypt secrets from environments where the user running it must have administrative access to both the application server and its databases.

Secret Server on-premises is delivered as an application. Delinea continuously assesses and addresses vulnerabilities across all supported components. While Delinea is responsible for maintaining the security of the application, customers are responsible for securing and hardening the environments in which they deploy and host Secret Server. Administrator access to the application server on which Secret Server on-premise is hosted provides full management control over the application. This means that if an attacker gains this level of control, they could obtain both the database data and the encryption key, which enables decryption of secrets.  Preventing unauthorized access to the hosting environment is therefore of utmost importance. To secure your configuration we recommend following security best practices such as the CIS Critical Security Controls, as well as :

• Use EFS (Encrypting File System)
• Use HSM (Hardware Security Module) that meets HSM Security Assessment Level 2
• Use DPAPI to encrypt the encryption.config file (this does not protect from the use of the tool, but does provide additional security in case the file is retrieved from backup and decryption is performed on a different machine)
• Use DoubleLock
• Protect and restrict access to the local admin account and the service account that runs Secret Server on the application server
• Protect underlying infrastructure on which Secret Server is hosted.

Note: Secret Server Cloud is not directly impacted by this issue. Please see these documentation sections for more information:
 • https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#Database
• https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#ApplicationServer
• https://docs.delinea.com/online-help/secret-server/security-hardening/hardening-guides/security-hardening-guide/index.htm#ApplicationSettings
• https://www.cisecurity.org/controls