CVE-2019-25688
Published: 05 April 2026
Summary
CVE-2019-25688 is a high-severity SQL Injection (CWE-89) vulnerability in Marmotech Kados. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
Kados R10 GreenBee, an open-source project management tool, suffers from an SQL injection vulnerability identified as CVE-2019-25688. The flaw resides in the menu_lev1 parameter, which fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries. This CWE-89 issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity due to network accessibility and lack of authentication requirements.
Unauthenticated remote attackers can exploit this vulnerability by crafting HTTP requests with malicious SQL payloads in the menu_lev1 parameter. Successful exploitation enables extraction of sensitive database information, such as user credentials or project data, and limited modification of database contents, potentially leading to data leakage or unauthorized alterations without impacting availability.
Advisories and related resources, including those from VulnCheck and Exploit-DB, detail the vulnerability and provide a proof-of-concept exploit at https://www.exploit-db.com/exploits/46505. Project details are available on SourceForge (https://sourceforge.net/projects/kados/) and the official site (https://www.kados.info/), though no specific patches or mitigation steps are outlined in the provided references. Security practitioners should assume affected instances remain vulnerable absent vendor updates.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20109
Vulnerability details
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the menu_lev1 parameter. Attackers can send crafted requests with malicious SQL payloads in the menu_lev1 parameter to extract sensitive…
more
database information or modify database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public web app directly enables T1190 exploitation for initial access and T1213.006 for database data collection/modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating untrusted inputs like the menu_lev1 parameter to block SQL injection payloads before they reach database queries.
Mandates timely identification, reporting, testing, and correction of flaws such as this SQL injection vulnerability in Kados R10 GreenBee.
Requires vulnerability scanning that would identify SQL injection issues in web applications, enabling remediation before exploitation.