Cyber Resilience

CVE-2019-25508

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25508 is a high-severity SQL Injection (CWE-89) vulnerability in Jettweb Php Ready Advertisement Site Script. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25508 is an SQL injection vulnerability (CWE-89) in Jettweb Php Hazir Ilan Sitesi Scripti V2. The flaw resides in the katgetir.php endpoint, where the 'kat' parameter fails to properly sanitize user input, enabling attackers to inject arbitrary SQL code into database queries. Published on 2026-03-12, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to katgetir.php with malicious values in the 'kat' parameter. Successful exploitation allows manipulation of database queries to extract sensitive information, with potential for limited data modification but no denial of service.

Advisories from Vulncheck (https://www.vulncheck.com/advisories/jettweb-php-hazir-ilan-sitesi-scripti-v2-sql-injection-via-katgetir-php) and a proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/46606) document the issue, though specific patch details are not provided in available descriptions. Security practitioners should review these resources for mitigation guidance, such as input validation or upgrading the affected script.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. Attackers can send GET requests to the katgetir.php endpoint with malicious 'kat'…

more

values to extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated network exploitation of a public-facing web app via SQL injection in katgetir.php.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25510Same vendor: Jettweb
CVE-2019-25516Same vendor: Jettweb
CVE-2019-25482Same vendor: Jettweb
CVE-2019-25517Same vendor: Jettweb
CVE-2019-25520Same vendor: Jettweb
CVE-2019-25515Same vendor: Jettweb
CVE-2019-25512Same vendor: Jettweb
CVE-2019-25519Same vendor: Jettweb
CVE-2019-25511Same vendor: Jettweb
CVE-2019-25518Same vendor: Jettweb

Affected Assets

jettweb
php ready advertisement site script
2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of untrusted inputs like the 'kat' parameter before inclusion in database queries.

prevent

Ensures timely identification, reporting, and correction of the specific SQL injection flaw in katgetir.php.

prevent

Restricts the 'kat' parameter to specific types, formats, and lengths to block common SQL injection payloads.

References