CVE-2019-25299
Published: 06 February 2026
Summary
CVE-2019-25299 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2019-25299 is a SQL injection vulnerability in RimbaLinux AhadPOS version 1.11. The issue affects the 'alamatCustomer' parameter, which fails to properly sanitize user input in POST requests, allowing attackers to manipulate database queries. Exploitation relies on time-based and boolean-based blind SQL injection techniques to extract information or interact with the underlying database. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-89.
The attack requires low privileges (PR:L) and can be conducted remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Attackers with authenticated access at a low level can craft malicious POST requests to the vulnerable parameter, achieving high confidentiality impact through data extraction and low integrity impact via query alteration, without affecting availability.
Advisories and resources include the Vulncheck advisory at https://www.vulncheck.com/advisories/rimbalinux-ahadpos-alamatcustomer-sql-injection, an exploit script on Exploit-DB at https://www.exploit-db.com/exploits/47585, and the project repository on GitHub at https://github.com/rimbalinux/AhadPOS. These provide further details on the vulnerability and potential remediation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19400
Vulnerability details
RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with…
more
the underlying database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app parameter enables remote exploitation of public-facing application (T1190) and direct unauthorized access/exfiltration from backend database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all input parameters (such as alamatCustomer in POST requests) to block SQL injection payloads before they reach the database.
Limits the database privileges granted to the low-privilege authenticated accounts that can reach the vulnerable parameter, reducing the impact of successful blind SQLi data extraction or modification.
Enables monitoring of database query patterns and anomalies that would reveal time-based or boolean-based blind SQL injection attempts against the alamatCustomer field.