CVE-2025-0486
Published: 15 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0486 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Fanli2012 native-php-cms version 1.0. The issue resides in an unknown functionality of the file /fladmin/login.php, where manipulation of the username argument triggers the injection. Published on 2025-01-15, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation without user interaction or privileges. Attackers can launch SQL injection attacks over the network with low complexity, potentially compromising low levels of confidentiality, integrity, and availability. An exploit has been publicly disclosed and may be actively used.
Advisories are available via GitHub issues at https://github.com/Fanli2012/native-php-cms/issues/8 and https://github.com/Fanli2012/native-php-cms/issues/8#issue-2769942639, as well as VulDB entries including https://vuldb.com/?ctiid.291931, https://vuldb.com/?id.291931, and https://vuldb.com/?submit.475249. No specific patches or mitigations are detailed in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in unauthenticated public-facing /fladmin/login.php enables exploitation of public-facing web applications (T1190), abuse of server software components (T1505 as per advisory), and collection of data from databases (T1213.006) via unauthorized queries.