Cyber Posture

CVE-2025-1640

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0018 39.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-1640 is a critical SQL injection vulnerability (CWE-74, CWE-89) in Benner ModernaNet versions up to 1.1.0. The flaw affects an unknown functionality within the endpoint /Home/JS_CarregaCombo?formName=DADOS_PESSOAIS_PLANO&additionalCondition=&insideParameters=&elementToReturn=DADOS_PESSOAIS_PLANO&ordenarPelaDescricao=true&direcaoOrdenacao=asc&_=1739290047295, where manipulation of parameters enables SQL injection.

Attackers can exploit this vulnerability remotely without authentication or user interaction, given its low attack complexity as indicated by the CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants limited access to confidential data, moderate integrity disruption, and low availability impact on the affected system.

Advisories recommend upgrading to Benner ModernaNet version 1.1.1 to remediate the issue. Further details are documented in VulDB entries and a related GitHub repository tracking the CVE.

Details

CWE(s)
CWE-74CWE-89

Affected Products

modernasistemas
modernanet
≤ 1.1.1

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in unauthenticated web endpoint enables exploitation of public-facing application (T1190) and blind inference of database information (T1213.006).

References