CVE-2025-63624
Published: 03 February 2026
Description
SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection in imei_list.aspx by validating and sanitizing untrusted inputs to block malicious SQL code execution.
Mandates identification, reporting, and correction of the specific SQL injection flaw, eliminating the vulnerability through patching or code fixes.
Requires regular vulnerability scanning to detect the SQL injection issue in the IoT platform, enabling proactive remediation before remote exploitation.
Security SummaryAI
CVE-2025-63624 is a SQL injection vulnerability (CWE-89) in the IoT smart water meter monitoring platform version 1.0 from Shandong Kede Electronics Co., Ltd. The issue resides in the imei_list.aspx file and allows a remote attacker to execute arbitrary code. Published on 2026-02-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation enables arbitrary code execution on the affected system, potentially leading to complete compromise of the monitoring platform and connected IoT water meters.
A GitHub repository documents unauthorized remote code execution in this platform, including a proof-of-concept: https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection (CWE-89) in public-facing web endpoint (imei_list.aspx) enables unauthenticated remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.