Cyber Resilience

CVE-2019-25325

HighPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25325 is a high-severity SQL Injection (CWE-89) vulnerability in Cxsecurity (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25325 is an SQL injection vulnerability (CWE-89) in Thrive Smart Home version 1.1, affecting the checklogin.php endpoint. The flaw arises from improper handling of the 'user' POST parameter, enabling attackers to inject malicious SQL payloads, such as ' or 1=1#, directly into login queries.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction or privileges required, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation allows bypassing authentication mechanisms, granting unauthorized access to the application and potentially exposing sensitive data with high confidentiality impact and low integrity impact.

Advisories and related resources, including those at https://cxsecurity.com/issue/WLB-2020010019, https://exchange.xforce.ibmcloud.com/vulnerabilities/173728, https://packetstorm.news/files/id/155797, https://www.exploit-db.com/exploits/47814, and https://www.vulncheck.com/advisories/thrive-smart-home-smart-home-improper-limitation-o, document the issue and provide exploit details, though specific patch or mitigation guidance is not detailed in the core CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries…

more

and gain unauthorized access to the application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in login endpoint allows unauthenticated remote exploitation of a public-facing web application to bypass authentication and gain unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

Cxsecurity
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like the 'user' POST parameter in checklogin.php to block SQL injection payloads and prevent authentication bypass.

prevent

Mandates timely identification, reporting, and remediation of flaws such as the SQL injection vulnerability in CVE-2019-25325 via patching or secure code updates.

prevent

Enforces boundary protection at network interfaces using web application firewalls or similar to detect and block SQL injection attempts targeting the login endpoint.

References