Cyber Resilience

CVE-2019-25688

HighPublic PoC

Published: 05 April 2026

Published
05 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 25.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25688 is a high-severity SQL Injection (CWE-89) vulnerability in Marmotech Kados. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Kados R10 GreenBee, an open-source project management tool, suffers from an SQL injection vulnerability identified as CVE-2019-25688. The flaw resides in the menu_lev1 parameter, which fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries. This CWE-89 issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity due to network accessibility and lack of authentication requirements.

Unauthenticated remote attackers can exploit this vulnerability by crafting HTTP requests with malicious SQL payloads in the menu_lev1 parameter. Successful exploitation enables extraction of sensitive database information, such as user credentials or project data, and limited modification of database contents, potentially leading to data leakage or unauthorized alterations without impacting availability.

Advisories and related resources, including those from VulnCheck and Exploit-DB, detail the vulnerability and provide a proof-of-concept exploit at https://www.exploit-db.com/exploits/46505. Project details are available on SourceForge (https://sourceforge.net/projects/kados/) and the official site (https://www.kados.info/), though no specific patches or mitigation steps are outlined in the provided references. Security practitioners should assume affected instances remain vulnerable absent vendor updates.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu_lev1 parameter to extract sensitive…

more

database information or modify database contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in unauthenticated public web app directly enables T1190 exploitation for initial access and T1213.006 for database data collection/modification.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25704Same product: Marmotech Kados
CVE-2019-25702Same product: Marmotech Kados
CVE-2019-25700Same product: Marmotech Kados
CVE-2019-25690Same product: Marmotech Kados
CVE-2019-25692Same product: Marmotech Kados
CVE-2019-25694Same product: Marmotech Kados
CVE-2019-25696Same product: Marmotech Kados
CVE-2019-25698Same product: Marmotech Kados
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89

Affected Assets

marmotech
kados
r10_greenbee

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating untrusted inputs like the menu_lev1 parameter to block SQL injection payloads before they reach database queries.

prevent

Mandates timely identification, reporting, testing, and correction of flaws such as this SQL injection vulnerability in Kados R10 GreenBee.

preventdetect

Requires vulnerability scanning that would identify SQL injection issues in web applications, enabling remediation before exploitation.

References