CVE-2025-25686

CriticalPublic PoC

Published: 27 March 2025

Published

27 March 2025

Modified

11 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0027 50.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-25686 is a SQL injection vulnerability (CWE-89) in SEMCMS versions 5.0 and earlier, specifically within the SEMCMS_Fuction.php component. Published on 2025-03-27T16:15:29.987, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation enables arbitrary SQL query execution, granting high-impact access to confidentiality (data disclosure), integrity (data modification), and availability (data deletion or denial of service) of the affected database.

Mitigation details are available in the referenced advisory at https://github.com/J1095/fkapfxx.

Details

CWE(s): CWE-89

Affected Products

sem-cms

semcms

≤ 5.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in a web-facing CMS (semcms) enables exploitation of public-facing applications (T1190) and facilitates unauthorized access to databases for data collection (T1213.006).

References

https://github.com/J1095/fkapfxx
Exploit, Third Party Advisory · cve@mitre.org