Cyber Posture

CVE-2025-25515

HighPublic PoC

Published: 25 February 2025

Published
25 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0050 66.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-25515 is a SQL injection vulnerability affecting SeaCMS versions 13.3 and earlier, specifically in the admin_collect.php component. Published on 2025-02-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89. The flaw enables an authenticated attacker to inject malicious SQL queries into the database through this administrative script.

An attacker with low-privilege authenticated access (such as an admin user) can exploit this over the network with low complexity and no user interaction required. Successful exploitation grants high-impact control over confidentiality, integrity, and availability, potentially allowing arbitrary database operations like data exfiltration, modification, or deletion.

Advisories detailing the vulnerability, including a proof-of-concept, are available at https://github.com/Colorado-all/cve/blob/main/seacms/seacms%20V13.3-sql-5.md.

Details

CWE(s)
CWE-89

Affected Products

seacms
seacms
≤ 13.3

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in web application admin panel enables exploitation of public-facing or remote services (T1190, T1210) and arbitrary database queries for data collection (T1213.006).

References