CVE-2025-25914
Published: 17 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-25914, published on 2025-03-17, is a SQL injection vulnerability (CWE-89) in Online Exam Mastering System version 1.0. The flaw resides in the handling of the fid parameter, enabling a remote attacker to execute arbitrary code. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low attack complexity, and lack of prerequisites.
A remote attacker without privileges or user interaction can exploit the vulnerability by injecting malicious SQL payloads via the fid parameter. Successful exploitation allows arbitrary code execution, compromising confidentiality, integrity, and availability with high impact, potentially leading to full system control.
The primary advisory reference is available at https://github.com/872323857/CVE/blob/main/online-exam-mastering-system_sqlinject.md, which details the vulnerability but provides no specific mitigation or patch information in the given data.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in a public-facing web application (Online Exam Mastering System) allows remote arbitrary code execution via the fid parameter, directly enabling exploitation of public-facing applications.