Cyber Posture

CVE-2019-25542

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0025 48.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. Attackers can send POST requests to index.php with malicious payloads in the user_email field…

more

to bypass authentication, extract sensitive data, or modify database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the user_email parameter to ensure inputs are properly sanitized, preventing SQL injection into database queries.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws like the SQL injection vulnerability in index.php, eliminating the root cause.

SI-9 Information Input Restrictions partial match
prevent

Restricts information inputs such as user_email to authorized types and formats, blocking malicious SQL payloads from reaching the database.

Security SummaryAI

CVE-2019-25542 is a SQL injection vulnerability (CWE-89) in Netartmedia Real Estate Portal 5.0. The flaw resides in the index.php component, where the user_email parameter fails to properly sanitize input, allowing attackers to inject arbitrary SQL code into database queries. It carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and was published on 2026-03-12T16:16:09.297.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted POST requests to index.php with malicious payloads in the user_email field. Exploitation enables manipulation of database queries, including bypassing authentication mechanisms, extracting sensitive data from the database, or modifying database contents.

Advisories and references, including a proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/46563) and a detailed write-up from Vulncheck (https://www.vulncheck.com/advisories/netartmedia-real-estate-portal-sql-injection-via-index-php), document the issue but do not specify patches or mitigations in the available information.

Details

CWE(s)
CWE-89

Affected Products

netartmedia
real estate portal
5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web application (index.php) directly enables exploitation of public-facing application (T1190) and extraction of sensitive data from databases (T1213.006) via arbitrary query manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References