CVE-2019-25366
Published: 22 February 2026
Summary
CVE-2019-25366 is a high-severity SQL Injection (CWE-89) vulnerability in Microasp (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25366 is an SQL injection vulnerability in microASP Portal+ CMS, affecting the pagina.phtml component through the explode_tree parameter. Unauthenticated attackers can inject malicious SQL code, such as payloads using the extractvalue and concat functions, to execute arbitrary SQL queries and extract sensitive database information, including the current database name. The vulnerability is rated with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-89.
Any unauthenticated attacker with network access can exploit this vulnerability by sending crafted HTTP requests to the vulnerable endpoint. Successful exploitation enables high-impact confidentiality breaches, such as dumping database contents, with low integrity impact and no availability disruption, due to the lack of privileges required and low attack complexity.
Advisories and related resources, including an exploit proof-of-concept, are available from the vendor site at http://www.microasp.it/, Exploit-DB at https://www.exploit-db.com/exploits/46799, and Vulncheck at https://www.vulncheck.com/advisories/microasp-portal-cms-sql-injection-via-paginaphtml.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19595
Vulnerability details
microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat…
more
functions to extract sensitive database information like the current database name.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web CMS component directly enables T1190 exploitation for initial access and unauthenticated data retrieval from backend databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the explode_tree parameter before database query construction.
Requires identification, reporting, and correction of the specific SQL injection flaw in the microASP Portal+ CMS pagina.phtml component.
Boundary protection at web interfaces can deploy web application firewalls to inspect and block crafted HTTP requests containing SQL injection payloads targeting the explode_tree parameter.