CVE-2019-25581
Published: 21 March 2026
Summary
CVE-2019-25581 is a high-severity SQL Injection (CWE-89) vulnerability in I-Doit I-Doit. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-25581 is an SQL injection vulnerability (CWE-89) in i-doit CMDB version 1.12. The flaw occurs through the objGroupID parameter, which fails to properly sanitize user input, allowing attackers to inject and execute arbitrary SQL queries. Affected systems include deployments of i-doit CMDB 1.12, with the vulnerability confirmed in the open-source edition available from SourceForge.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). By sending crafted GET requests containing malicious SQL payloads in the objGroupID parameter, attackers can extract sensitive database information, such as usernames, database names, and version details, potentially leading to high confidentiality impacts with low integrity impacts.
Advisories, including the VulnCheck report on the i-doit CMDB SQL injection via the objGroupID parameter, document the issue, while an Exploit-DB entry (46134) provides a public proof-of-concept. The official i-doit website and vulnerable version download are referenced for further verification; security practitioners should check these sources for any available patches or upgrades beyond version 1.12.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19904
Vulnerability details
i-doit CMDB 1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the objGroupID parameter. Attackers can send GET requests with crafted SQL payloads in the objGroupID parameter to extract…
more
sensitive database information including usernames, database names, and version details.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web application enables initial access via T1190 and data collection from databases via arbitrary SQL query execution (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the objGroupID parameter to block arbitrary SQL query execution.
SI-2 mandates timely identification, reporting, and correction of known flaws such as the SQL injection vulnerability in i-doit CMDB 1.12.
RA-5 uses vulnerability scanning to detect SQL injection issues like CVE-2019-25581 in web applications and triggers remediation.