Cyber Resilience

CVE-2019-25698

HighPublic PoC

Published: 05 April 2026

Published
05 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0031 22.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25698 is a high-severity SQL Injection (CWE-89) vulnerability in Marmotech Kados. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Kados R10 GreenBee, an open-source project hosted on SourceForge, suffers from an SQL injection vulnerability identified as CVE-2019-25698. The flaw resides in the id_to_delete parameter, which fails to properly sanitize user input, allowing attackers to inject malicious SQL code into database queries. This CWE-89 issue enables manipulation of backend database operations, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact and low integrity impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting HTTP requests with SQL payloads in the id_to_delete field, adversaries can extract sensitive database information or perform limited modifications, such as altering records, potentially leading to data leakage or unauthorized changes in the application's data store.

Advisories from VulnCheck detail the SQL injection via the id_to-delete parameter in Kados R10 GreenBee, while a proof-of-concept exploit is available on Exploit-DB (ID 46505). Project resources at SourceForge and kados.info provide additional context, though no specific patches or mitigations are outlined in the provided references. Security practitioners should review these sources for remediation guidance and consider input validation or parameterized queries as general defenses against SQL injection.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter. Attackers can send crafted requests with malicious SQL statements in the id_to_delete field to extract or modify…

more

sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated web parameter directly enables remote exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25690Same product: Marmotech Kados
CVE-2019-25692Same product: Marmotech Kados
CVE-2019-25694Same product: Marmotech Kados
CVE-2019-25696Same product: Marmotech Kados
CVE-2019-25704Same product: Marmotech Kados
CVE-2019-25688Same product: Marmotech Kados
CVE-2019-25702Same product: Marmotech Kados
CVE-2019-25700Same product: Marmotech Kados
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89

Affected Assets

marmotech
kados
r10_greenbee

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validating user inputs like the id_to_delete parameter to block malicious SQL injection payloads before they reach the database.

prevent

Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in Kados R10 GreenBee.

prevent

Enforces restrictions on information inputs at boundaries to limit malformed or oversized SQL payloads in parameters like id_to_delete.

References