CVE-2025-22974
Published: 24 February 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-22974 is a SQL injection vulnerability (CWE-89) affecting SeaCMS versions 13.2 and earlier. The issue exists in the phome.php component, where the DoTranExecSql parameter fails to properly sanitize user input, enabling a remote attacker to inject and execute arbitrary SQL code.
The vulnerability can be exploited by any remote attacker with network access, requiring low attack complexity, no privileges, and no user interaction, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows the attacker to execute arbitrary code, potentially leading to high impacts on confidentiality, integrity, and availability, such as data exfiltration, modification, or denial of service.
Mitigation details are available in the referenced advisory at https://github.com/202110420106/CVE/blob/master/seacms/CVE-2025-22974.md, published on 2025-02-24.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in SeaCMS web application enables remote arbitrary code execution, directly mapping to exploitation of public-facing applications.