CVE-2025-2113
Published: 09 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2113 is a SQL injection vulnerability affecting AT Software Solutions ATSVD versions up to 3.4.1. The issue resides in an unknown functionality of the "Esqueceu a senha" component, where manipulation of the "txtCPF" argument enables SQL injection. Rated with a CVSS v3.1 base score of 7.3 (High; AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and associated with CWEs 74 and 89, it was published on 2025-03-09.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption through injected SQL payloads.
Advisories recommend upgrading to ATSVD version 3.4.2 to address the issue. The exploit has been publicly disclosed, as evidenced by references including a GitHub repository and VulDB entries detailing the vulnerability.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in a network-accessible web application component (forgot password form) with no auth required directly enables T1190 Exploit Public-Facing Application for initial access, data access, and modification.