CVE-2019-25539

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0022 45.0th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send POST requests to index.php with crafted SQL payloads using time-based blind injection…

techniques to extract sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents blind SQL injection by requiring validation of the log_user parameter in POST requests to block malicious SQL payloads.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific SQL injection flaw in 202CMS v10 beta to eliminate the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Enables vulnerability scanning to identify and remediate SQL injection flaws like CVE-2019-25539 before exploitation.

Security SummaryAI

CVE-2019-25539 is a blind SQL injection vulnerability in 202CMS v10 beta, stemming from CWE-89. The flaw resides in the log_user parameter, enabling attackers to inject malicious SQL code into database queries processed via POST requests to index.php. This affects the content management system's backend database handling, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact, low integrity impact, and no availability disruption.

Unauthenticated remote attackers can exploit this vulnerability by crafting POST requests to index.php with time-based blind SQL injection payloads. Successful exploitation allows extraction of sensitive database information, such as user credentials or configuration data, through inference techniques that measure query response times without direct output.

Advisories and related resources include the project page at https://sourceforge.net/projects/b202cms/, a public exploit at https://www.exploit-db.com/exploits/46579, and a detailed advisory from VulnCheck at https://www.vulncheck.com/advisories/202cms-v10-beta-sql-injection-via-register-php. No patches or specific mitigation steps are detailed in the CVE description.

Details

CWE(s): CWE-89

Affected Products

konradpl99

202cms

10.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

Blind SQLi in public-facing CMS enables exploitation of public app (T1190), credential extraction from DB (T1212), and data collection from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sourceforge.net/projects/b202cms/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46579
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/202cms-v10-beta-sql-injection-via-register-php
Third Party Advisory · disclosure@vulncheck.com