Cyber Posture

CVE-2019-25641

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0012 31.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with malicious email values in the forgotten_password module to…

more

extract sensitive database information.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of the email parameter in the forgotten_password module to block SQL injection from unsanitized user inputs.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific SQL injection flaw in index.php, preventing exploitation through patches or code fixes.

SI-9 Information Input Restrictions partial match
prevent

Restricts the email parameter to valid formats and sources, limiting opportunities for SQL code injection in database queries.

Security SummaryAI

CVE-2019-25641 is an SQL injection vulnerability (CWE-89) in the Netartmedia Vlog System. The flaw resides in the forgotten_password module of index.php, where the email parameter fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries.

Unauthenticated remote attackers can exploit this vulnerability with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). By sending crafted POST requests to index.php with malicious values in the email parameter, attackers can manipulate database queries to extract sensitive information, achieving high confidentiality impact and low integrity impact without affecting availability.

References include an Exploit-DB entry (https://www.exploit-db.com/exploits/46583) detailing a proof-of-concept, the vendor site (https://www.netartmedia.net/vlogsystem/), and a Vulncheck advisory (https://www.vulncheck.com/advisories/netartmedia-vlog-system-lastest-sql-injection-via-email-parameter), which security practitioners should consult for any available patches or mitigation guidance. The CVE was published on 2026-03-24.

Details

CWE(s)
CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in unauthenticated public-facing web application directly enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary database queries for data collection (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References