CVE-2025-2132
Published: 09 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2132 is a SQL injection vulnerability classified as critical in ftcms version 2.1. The issue affects an unknown function within the file /admin/index.php/web/ajax_all_lists of the Search component, where manipulation of the "name" argument enables the injection. It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability can be exploited remotely by attackers with high privileges (PR:H), such as authenticated administrators, requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts: low confidentiality (C:L) via potential data disclosure, low integrity (I:L) through data modification, and low availability (A:L) disruption.
Advisories from VulDB detail the issue, noting public disclosure of an exploit and early vendor notification without response. References include a GitHub issue at https://github.com/ahieafe/zpp/issues/2 and VulDB entries at https://vuldb.com/?ctiid.299052, https://vuldb.com/?id.299052, and https://vuldb.com/?submit.511614; no patches or mitigations are mentioned.
The exploit has been publicly disclosed and may be actively used, with no vendor remediation available as of publication on 2025-03-09.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the ftCMS admin search endpoint (/admin/index.php/web/ajax_all_lists) enables exploitation of a server software component (T1505) and facilitates unauthorized data collection from the database (T1213.006).