OGS/Firebird Sicherheitslücke!

Firebird CVE-2025-24975 / EUVD-2025-25030

Security Advisory

The Firebird Homepage recently disclosed a security issue in older FireBird SQL server versions. The database server engine is used by OGS and installed as part of the OGS software. The issue has been published as CVE-2025-24975 / EUVD-2025-25030 and an update has been provided to resolve the issue.

Impact on OGS desktop installations

The installation programs for OGS V3 and V3.1 (up to and including V3.1.6) install Firebird server version 4.0.2, which is affected by the security vulnerability mentioned above.

The vulnerability can only be exploited if access to TCP port 3050 is possible. By default, the Windows Firewall blocks this port, so external access is normally not possible.

Impact on server installations

If a standalone installation of the Firebird database server is being used, the installed version should be checked as described in the Firebird Security Alert. All versions less than or equal to 4.0.6.3203 are vulnerable and must be updated. Firebird Security Alert .

Mitigations

An update for OGS including the updated Firebird database server (version 4.0.6.3203) will be provided in the coming days.

Until then, the following actions should be taken to prevent exploitation:

Change the configuration in the firebird.conf file located at C:\Program Files (x86)\Firebird\Firebird_4_0. The vulnerability can only be exploited if the setting “ExtConnPoolSize” is set to a value other than zero. Set ExtConnPoolSize=0 and restart the Firebird service to prevent exploitation.
Ensure that the Windows firewall blocks incoming access to TCP port 3050 for external access.
Manual upgrade of the Firebird server installation. The Firebird server installed by the OGS installer can be replaced with the official version as follows: https://firebirdsql.org/en/firebird-4-0 wie folgt ersetzt werden:
- Run “uninstall_service.bat” with administrative rights (located in C:\Program Files (x86)\Firebird\Firebird_4_0) to remove the current Firebird SQL Server.
- Download and install the official Win32 installer from https://github.com/FirebirdSQL/firebird/releases/download/v4.0.6/Firebird-4.0.6.3221-0-Win32.exe

If you have further questions, please get in touch.