CVE-2025-25763

Critical

Published: 06 March 2025

Published

06 March 2025

Modified

07 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-25763 is a SQL injection vulnerability (CWE-89) affecting crmeb CRMEB-KY versions v5.4.0 and prior. The issue is located in the getRead() function within the file /system/SystemDatabackupServices.php, as published on 2025-03-06.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe. Unauthenticated attackers with network access can exploit it remotely with low attack complexity and no user interaction required, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary SQL query execution.

Advisories and additional details are available at https://github.com/J-0k3r/CVE-2025-25763 and https://github.com/J-0k3r/sql/blob/main/sql.pdf.

Details

CWE(s): CWE-89

Affected Products

crmeb

5.4.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (CRMEB-KY) directly enables remote unauthenticated exploitation of the web app via arbitrary SQL queries.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/J-0k3r/CVE-2025-25763
Broken Link · cve@mitre.org
https://github.com/J-0k3r/sql/blob/main/sql.pdf
Broken Link · cve@mitre.org