CVE-2019-25581

HighPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0024 47.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract…

sensitive database information including usernames, database names, and version details.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the objGroupID parameter to block arbitrary SQL query execution.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of known flaws such as the SQL injection vulnerability in i-doit CMDB 1.12.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

RA-5 uses vulnerability scanning to detect SQL injection issues like CVE-2019-25581 in web applications and triggers remediation.

Security SummaryAI

CVE-2019-25581 is an SQL injection vulnerability (CWE-89) in i-doit CMDB version 1.12. The flaw occurs through the objGroupID parameter, which fails to properly sanitize user input, allowing attackers to inject and execute arbitrary SQL queries. Affected systems include deployments of i-doit CMDB 1.12, with the vulnerability confirmed in the open-source edition available from SourceForge.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). By sending crafted GET requests containing malicious SQL payloads in the objGroupID parameter, attackers can extract sensitive database information, such as usernames, database names, and version details, potentially leading to high confidentiality impacts with low integrity impacts.

Advisories, including the VulnCheck report on the i-doit CMDB SQL injection via the objGroupID parameter, document the issue, while an Exploit-DB entry (46134) provides a public proof-of-concept. The official i-doit website and vulnerable version download are referenced for further verification; security practitioners should check these sources for any available patches or upgrades beyond version 1.12.

Details

CWE(s): CWE-89

Affected Products

i-doit

1.12

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated public-facing web application enables initial access via T1190 and data collection from databases via arbitrary SQL query execution (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://netcologne.dl.sourceforge.net/project/i-doit/i-doit/1.12/idoit-open-1.12.zip
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46134
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.i-doit.org/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/i-doit-cmdb-sql-injection-via-objgroupid-parameter
Third Party Advisory · disclosure@vulncheck.com