CVE-2019-25698
Published: 05 April 2026
Summary
CVE-2019-25698 is a high-severity SQL Injection (CWE-89) vulnerability in Marmotech Kados. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Kados R10 GreenBee, an open-source project hosted on SourceForge, suffers from an SQL injection vulnerability identified as CVE-2019-25698. The flaw resides in the id_to_delete parameter, which fails to properly sanitize user input, allowing attackers to inject malicious SQL code into database queries. This CWE-89 issue enables manipulation of backend database operations, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact and low integrity impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By crafting HTTP requests with SQL payloads in the id_to_delete field, adversaries can extract sensitive database information or perform limited modifications, such as altering records, potentially leading to data leakage or unauthorized changes in the application's data store.
Advisories from VulnCheck detail the SQL injection via the id_to-delete parameter in Kados R10 GreenBee, while a proof-of-concept exploit is available on Exploit-DB (ID 46505). Project resources at SourceForge and kados.info provide additional context, though no specific patches or mitigations are outlined in the provided references. Security practitioners should review these sources for remediation guidance and consider input validation or parameterized queries as general defenses against SQL injection.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20119
Vulnerability details
Kados R10 GreenBee contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the id_to_delete parameter. Attackers can send crafted requests with malicious SQL statements in the id_to_delete field to extract or modify…
more
sensitive database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated web parameter directly enables remote exploitation of public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validating user inputs like the id_to_delete parameter to block malicious SQL injection payloads before they reach the database.
Mandates identification, reporting, and correction of flaws such as the SQL injection vulnerability in Kados R10 GreenBee.
Enforces restrictions on information inputs at boundaries to limit malformed or oversized SQL payloads in parameters like id_to_delete.