Cyber Resilience

CVE-2018-25202

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2018-25202 is a high-severity SQL Injection (CWE-89) vulnerability in Wecodex (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-25202 is an SQL injection vulnerability (CWE-89) in SAT CFDI 3.3, affecting the signIn endpoint through the 'id' parameter. It enables attackers to inject SQL code into database queries via POST requests, supporting boolean-based blind, stacked queries, or time-based blind techniques. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability disruption.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting malicious payloads in the 'id' parameter, they can extract sensitive data from the database or compromise the application, such as through data exfiltration or further query manipulation.

References including an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/44726), a VulnCheck advisory (https://www.vulncheck.com/advisories/sat-cfdi-sql-injection-via-signin-endpoint), and a WeCodex entry (https://www.wecodex.com/item/view/verification-and-validation-system-sat-cfdi-33/8) document the issue, with the exploit confirming practical exploitation paths.

An exploit is publicly available on Exploit-DB, indicating potential for real-world abuse against unpatched SAT CFDI 3.3 instances. The CVE was published on 2026-03-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind…

more

SQL injection payloads to extract sensitive data or compromise the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of a public-facing web application via SQL injection on the signIn endpoint.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Wecodex
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of the 'id' parameter in the signIn endpoint to block malicious payloads.

prevent

SI-9 enforces restrictions on the 'id' parameter, such as numeric-only input and length limits, to stop boolean-based blind, stacked, or time-based SQL injection attempts.

prevent

SI-2 ensures timely identification and remediation of the specific SQL injection flaw in CVE-2018-25202 via patching or code correction.

References