CVE-2025-29980
Published: 20 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-29980 is a SQL injection vulnerability (CWE-89) in eTRAKiT.net release 3.2.1.77, stemming from improper input validation. This flaw affects the eTRAKiT.net software, which has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
A remote unauthenticated attacker can exploit the vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary commands as the current Microsoft SQL Server account.
Advisories recommend turning off the CRM feature while using eTRAKiT.net release 3.2.1.77 as a mitigation. eTRAKiT.Net is no longer supported, and users are advised to migrate to the latest version of CentralSquare Community Development.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (eTRAKiT.net) allows remote unauthenticated arbitrary command execution, directly enabling T1190 Exploit Public-Facing Application.