Cyber Posture

CVE-2025-26163

CriticalPublic PoC

Published: 14 March 2025

Published
14 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-26163 is a SQL injection vulnerability (CWE-89) in CM Soluces Informatica Ltda Auto Atendimento version 1.x.x, specifically via the CPF parameter. Published on 2025-03-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require no privileges or user interaction and can exploit the issue over the network with low complexity. Successful exploitation enables arbitrary SQL query execution, granting high-impact access to confidentiality, integrity, and availability of the affected system.

A proof-of-concept for the SQL injection is available at https://github.com/Fr1t0viski/PoCs/blob/main/SQL_Injection_AutoAtendimento. No vendor advisories, patches, or mitigation guidance are detailed in the CVE references.

Details

CWE(s)
CWE-89

Affected Products

cmsol
auto atendimento
1.0.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in public-facing web application enables exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).

References