CVE-2019-25446

HighPublic PoC

Published: 22 February 2026

Published

22 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0012 30.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in…

these parameters to extract or modify sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation and sanitization of unsanitized POST parameters (datum1, datum2, KID, PID) before executing database queries in /korisnikinfo.php.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of the SQL injection flaw in DIGIT CENTRIS ERP, preventing exploitation of CVE-2019-25446.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls inspects and blocks malicious SQL payloads in unauthenticated POST requests to the vulnerable /korisnikinfo.php endpoint.

Security SummaryAI

DIGIT CENTRIS ERP is affected by CVE-2019-25446, an SQL injection vulnerability (CWE-89) that enables attackers to manipulate database queries. The flaw exists in the /korisnikinfo.php endpoint, where the datum1, datum2, KID, and PID parameters in POST requests fail to properly sanitize user input, allowing injection of malicious SQL syntax. This issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to network accessibility, low attack complexity, and no privileges required.

Unauthenticated attackers can exploit this vulnerability remotely by crafting POST requests to /korisnikinfo.php with SQL payloads in the vulnerable parameters. Successful exploitation allows extraction of sensitive database information or limited modification of data, achieving high confidentiality impact and low integrity impact without affecting availability.

Advisories referenced in Exploit-DB (exploit 47401) and Vulncheck detail the SQL injection, noting it affects every version of DIGIT CENTRIS ERP via the datum parameter among others, with a public proof-of-concept available. No specific patches or mitigation steps are outlined in the provided details.

A proof-of-concept exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against exposed DIGIT CENTRIS ERP instances. The CVE was published on 2026-02-22.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in a public-facing web endpoint enables exploitation of public-facing applications (T1190) and facilitates collection of data from databases (T1213.006) via arbitrary query execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/47401
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/digit-centris-erp-every-version-sql-injection-via-datum-parameter
disclosure@vulncheck.com