CVE-2025-25181
Published: 03 February 2025
Description
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Security Summary
CVE-2025-25181 is a SQL injection vulnerability (CWE-89) in the timeoutWarning.asp component of Advantive VeraCore through version 2025.1.0. It allows remote attackers to execute arbitrary SQL commands by injecting malicious input via the PmSess1 parameter. The vulnerability has a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N), indicating network accessibility with low complexity, no privileges or user interaction required, a changed scope, and limited impact to confidentiality.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation enables execution of arbitrary SQL commands, potentially leading to limited unauthorized disclosure of sensitive data, as reflected in the CVSS confidentiality impact.
Advisories from Advantive's support knowledge base detail mitigation steps, while CISA has added CVE-2025-25181 to its Known Exploited Vulnerabilities catalog. Research from Intezer and Solis Security highlights active exploitation by the XE Group threat actor.
This vulnerability has seen real-world exploitation, with threat actors transitioning from credit card skimming to zero-day abuse, underscoring the need for immediate patching in affected VeraCore deployments.
Details
- CWE(s)
- KEV Date Added
- 10 March 2025
Affected Products
Threat-Actor Attribution
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection enables exploitation of public-facing web applications (T1190) for initial access, arbitrary SQL execution for database data collection (T1213.006), and facilitates webshell deployment for remote execution (T1100) and persistence (T1505.003) as observed in adversary activity.