CVE-2024-58309
Published: 11 December 2025
Summary
CVE-2024-58309 is a high-severity SQL Injection (CWE-89) vulnerability in Xbtitfm Xbtitfm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-58309 is an unauthenticated SQL injection vulnerability (CWE-89) in xbtitFM version 4.1.18. The issue affects the /shoutedit.php component, where remote attackers can inject malicious SQL code through the msgid parameter to manipulate database queries. Published on 2025-12-11, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Any unauthenticated remote attacker can exploit this vulnerability by sending crafted HTTP requests to /shoutedit.php, leveraging MySQL functions like EXTRACTVALUE to extract sensitive data including database names, user credentials, and password hashes from the underlying database. No user interaction or privileges are required, enabling widespread exploitation against exposed xbtitFM instances.
Advisories detailing the vulnerability are available from VulnCheck at https://www.vulncheck.com/advisories/xbtitfm-unauthenticated-sql-injection-in-shouteditphp, with a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/51909. The official xbtitFM site is https://xbtitfm.eu.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55346
Vulnerability details
xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user…
more
credentials, and password hashes from the underlying database.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in public-facing web app (T1190) enables extraction of sensitive data like credentials and hashes from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by validating and sanitizing untrusted inputs like the msgid parameter in shoutedit.php to ensure consistency with expected format.
SI-2 requires timely identification, reporting, and remediation of flaws such as the unauthenticated SQL injection in xbtitFM 4.1.18, eliminating the vulnerability through patching.
AC-6 limits database privileges for the application to the minimum necessary, reducing the scope of data extraction possible even if SQL injection via msgid succeeds.