CVE-2025-1184
Published: 12 February 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-1184 is a critical SQL injection vulnerability (CWE-74, CWE-89) in pihome-shc PiHome version 1.77. The flaw resides in unknown functionality of the file /ajax.php?Ajax=GetModal_MQTTEdit, where manipulation of the "id" argument triggers the injection. Published on 2025-02-12, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by attackers possessing low privileges. Exploitation requires network access and low complexity with no user interaction needed, resulting in limited impacts: low confidentiality (e.g., partial data exposure), low integrity (e.g., minor unauthorized modifications), and low availability (e.g., minor denial of service).
Advisories reference a public proof-of-concept exploit at https://github.com/janssensjelle/published-pocs/blob/main/pihome_sqli_ajax.md, along with VulDB entries at https://vuldb.com/?ctiid.295088, https://vuldb.com/?id.295088, and https://vuldb.com/?submit.495413. No specific patches or mitigation steps are detailed in the provided references.
The exploit has been disclosed publicly and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The unauthenticated SQL injection vulnerability in the public-facing web application's ajax.php endpoint enables exploitation of public-facing applications (T1190) and collection of data from the backend database (T1213.006).