Organizations using Halo’s ITSM, PSA, or CRM platforms are being urged to take immediate action after cybersecurity researchers uncovered a critical SQL injection vulnerability that could leave systems completely exposed to threat actors. This newly disclosed flaw highlights the ongoing risk facing software supply chains and underscores the importance of swift patch management in protecting sensitive business systems.
Summary of the Vulnerability
The vulnerability, discovered by security researchers at AssetNote, targets the PostLogin API endpoint of Halo’s platform. Attackers can exploit this flaw remotely — without any valid login credentials — by injecting malicious SQL code directly into the backend database of the application.
This is not a theoretical risk. The vulnerability is already being actively exploited in the wild, with attackers compromising unpatched systems to exfiltrate data, elevate privileges, and in some cases, create persistent administrative access.
AssetNote plans to release full technical details on June 2, 2025, which is expected to increase the scope of the threat significantly. Once this information is public, cybercriminals who were previously unaware of the vulnerability will be able to develop and distribute automated exploit tools, leading to widespread scanning and exploitation of unpatched systems.
Why This Vulnerability Matters
1. No Authentication Required
The most dangerous aspect of this vulnerability is that no login credentials are needed to execute the attack. Anyone with access to your system’s public-facing API can launch an attack, making this especially dangerous for internet-facing systems.
2. Full System Compromise
Once inside, attackers can:
-
Extract sensitive database information such as usernames, passwords, API keys, and customer data.
-
Create or escalate administrative accounts for persistent access.
-
Modify or delete IT documentation, ticketing records, and internal audit logs.
-
Disrupt operational workflows or disable systems entirely.
3. Compliance and Regulatory Risk
The deletion or alteration of ITSM data not only disrupts internal processes — it can also create compliance violations. Organizations subject to regulations like HIPAA, CMMC, GDPR, or SOC 2 may be penalized for failing to maintain proper records or access controls. Regulatory audits may reveal missing audit trails, altered tickets, or data retention failures, resulting in significant fines and reputational damage.
Who is Affected?
All organizations using Halo ITSM, Halo PSA, or Halo CRM products are potentially affected. This includes:
-
Cloud-hosted customers (auto-patched by Halo)
-
Self-hosted/on-premise users (manual patching required)
Because all three products are built on a shared codebase, the vulnerability impacts all versions unless they’ve been updated to at least:
🔐 Version 2.174.94 (or later)
Timeline of Events
-
April 3, 2025: Initial disclosure of vulnerability by AssetNote
-
Patch released: Halo released an update addressing the vulnerability
-
Current: Active exploitation reported; hundreds of systems believed compromised
-
June 2, 2025: Full technical details of the exploit to be released publicly
Recommended Actions
1. Patch Immediately
If your organization uses on-premise Halo products, ensure you are running at least version 2.174.94. This patch mitigates the SQL injection vulnerability. Delaying even a few days could expose your system to attackers scanning the internet for unpatched systems.
2. Audit Access Logs and System Integrity
Check logs for suspicious activity, including:
-
Unauthorized admin account creation
-
Sudden ticket deletions
-
Irregular login attempts
-
Outbound connections to unfamiliar IP addresses
If you detect anomalies, conduct a full forensic investigation and notify your incident response team immediately.
3. Review Your Compliance Stance
If your business is governed by data security regulations (HIPAA, CMMC, PCI-DSS, etc.), determine whether the incident affects your compliance. Losing ticket history or audit records could impact your ability to prove due diligence during audits.
4. Inform Key Stakeholders
If your clients rely on you to maintain accurate IT documentation and support records, you may be contractually obligated to inform them about the risk or breach. Transparency and proactive communication go a long way toward maintaining trust.
5. Stay Ahead of Future Threats
This incident is part of a larger pattern of vulnerabilities in commonly used business tools. Threat actors are shifting away from ransomware and focusing instead on data exfiltration, extortion, and disruption. A Managed Security Services Provider (MSSP) can help you monitor, detect, and respond to these fast-moving threats.
The Bigger Picture: Why Businesses Must Stay Vigilant
This vulnerability is a wake-up call for organizations relying on SaaS and on-premise business tools. With increased dependency on platforms like Halo, vulnerabilities like this one can affect everything from customer service operations to executive reporting and compliance tracking.
Furthermore, this isn’t an isolated incident. Attackers are taking advantage of delayed patch cycles and limited IT staff by exploiting flaws before most organizations are aware they exist. Without proper monitoring, many businesses may not even realize their systems have been compromised until the damage is done.
At Xact Cybersecurity, we continually monitor threat intelligence feeds and vulnerability disclosures so our clients don’t have to. Our team of experts helps organizations patch, secure, and defend their systems around the clock.
Need Help Assessing Your Risk?
If your organization is unsure whether your Halo instance is secure, or you need expert guidance on vulnerability management, incident response, or compliance recovery, we’re here to help.
📞 Schedule a Risk Assessment
🛡️ Learn More About Our 24/7 Managed Security Services
📚 Unlock the Power of AI: A Practical Guide for Small Businesses
