CVE-2019-25696
Published: 05 April 2026
Summary
CVE-2019-25696 is a high-severity SQL Injection (CWE-89) vulnerability in Marmotech Kados. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25696 is an SQL injection vulnerability (CWE-89) in Kados R10 GreenBee, where the language_tag parameter fails to properly sanitize user input. This flaw enables attackers to inject and execute arbitrary SQL code directly into database queries, potentially compromising the underlying database.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating it is exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation allows attackers to extract sensitive database information, such as user credentials or other confidential data, and perform limited data modifications, though it does not impact availability.
Advisories and additional details are documented in resources including the VulnCheck advisory on the Kados R10 GreenBee SQL injection via language_tag parameter, the Kados project pages on SourceForge and kados.info, and an exploit on Exploit-DB (ID 46505). No specific patches or mitigation steps are detailed in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20117
Vulnerability details
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the language_tag parameter. Attackers can submit malicious SQL statements in the language_tag parameter to extract sensitive database information or modify…
more
data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in a network-accessible web application directly enables T1190 (Exploit Public-Facing Application) for unauthenticated remote attackers.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user inputs like the language_tag parameter to block SQL injection attempts in Kados R10 GreenBee.
Mandates timely identification, reporting, and correction of flaws such as the unsanitized language_tag parameter enabling SQL injection.
Provides vulnerability scanning to identify SQL injection vulnerabilities like CVE-2019-25696 in applications prior to exploitation.