Cyber Posture

CVE-2025-2118

High

Published: 09 March 2025

Published
09 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0001 3.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-2118 is a critical SQL injection vulnerability in Quantico Tecnologia PRMV version 6.48. It affects an unknown part of the file /admin/login.php within the Login Endpoint component, where manipulation of the username argument enables the injection. The issue, linked to CWE-74 and CWE-89, carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-09.

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection via the username parameter during login attempts.

Advisories and details are available from VulDB entries at https://vuldb.com/?ctiid.299013, https://vuldb.com/?id.299013, and https://vuldb.com/?submit.506948, as well as a GitHub repository at https://github.com/yago3008/cves. The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s)
CWE-74CWE-89

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The CVE describes a remote SQL injection vulnerability in a public-facing web application login endpoint (/admin/login.php), enabling unauthenticated attackers to exploit the application directly, which maps to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References