CVE-2025-0455

Critical

Published: 16 January 2025

Published

16 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0183 83.0th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Description

The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Security Summary

CVE-2025-0455 is a SQL injection vulnerability (CWE-89) affecting the airPASS product from NetVision Information. Published on 2025-01-16, it enables unauthenticated remote attackers to inject arbitrary SQL commands, potentially compromising the underlying database.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Unauthenticated remote attackers can exploit it to read, modify, and delete database contents.

Advisories from TWCERT detail the issue and are available at https://www.twcert.org.tw/en/cp-139-8358-143bc-2.html and https://www.twcert.org.tw/tw/cp-132-8357-28308-1.html for mitigation guidance.

Details

CWE(s): CWE-89

References

https://www.twcert.org.tw/en/cp-139-8358-143bc-2.html
twcert@cert.org.tw
https://www.twcert.org.tw/tw/cp-132-8357-28308-1.html
twcert@cert.org.tw