CVE-2025-2066

HighPublic PoC

Published: 07 March 2025

Published

07 March 2025

Modified

14 May 2025

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 19.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-2066 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting projectworlds Life Insurance Management System version 1.0. The issue resides in unknown code within the /updateAgent.php file, where manipulation of the agent_id argument enables attackers to inject malicious SQL queries. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability is remotely exploitable by unauthenticated attackers requiring low attack complexity and no user interaction. Exploitation involves sending crafted requests to /updateAgent.php with a manipulated agent_id parameter, potentially allowing limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.

Advisories and details are available via VulDB entries (ctiid.298822, id.298822, submit.514759) and a GitHub issue at ubfbuz3/cve/issues/8, where the exploit has been publicly disclosed and may be actively used. No specific patches are detailed in the available information.

Details

CWE(s): CWE-74CWE-89

Affected Products

projectworlds

life insurance management system

1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in unauthenticated public-facing web app (/updateAgent.php) enables exploitation of public-facing applications (T1190), abuse of server software components (T1505 as cited in advisory), and data collection from databases via SQL queries (T1213.006).

References

https://github.com/ubfbuz3/cve/issues/8
Exploit, Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.298822
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.298822
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.514759
Third Party Advisory, VDB Entry · cna@vuldb.com