Cyber Resilience

CVE-2024-58309

HighPublic PoC

Published: 11 December 2025

Published
11 December 2025
Modified
30 December 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 55.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-58309 is a high-severity SQL Injection (CWE-89) vulnerability in Xbtitfm Xbtitfm. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-58309 is an unauthenticated SQL injection vulnerability (CWE-89) in xbtitFM version 4.1.18. The issue affects the /shoutedit.php component, where remote attackers can inject malicious SQL code through the msgid parameter to manipulate database queries. Published on 2025-12-11, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Any unauthenticated remote attacker can exploit this vulnerability by sending crafted HTTP requests to /shoutedit.php, leveraging MySQL functions like EXTRACTVALUE to extract sensitive data including database names, user credentials, and password hashes from the underlying database. No user interaction or privileges are required, enabling widespread exploitation against exposed xbtitFM instances.

Advisories detailing the vulnerability are available from VulnCheck at https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp, with a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/51909. The official xbtitFM site is https://xbtitfm.eu.

EU & UK References

Vulnerability details

xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user…

more

credentials, and password hashes from the underlying database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

Unauthenticated SQL injection in public-facing web app (T1190) enables extraction of sensitive data like credentials and hashes from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

xbtitfm
xbtitfm
4.1.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by validating and sanitizing untrusted inputs like the msgid parameter in shoutedit.php to ensure consistency with expected format.

prevent

SI-2 requires timely identification, reporting, and remediation of flaws such as the unauthenticated SQL injection in xbtitFM 4.1.18, eliminating the vulnerability through patching.

prevent

AC-6 limits database privileges for the application to the minimum necessary, reducing the scope of data extraction possible even if SQL injection via msgid succeeds.

References