Cyber Resilience

CVE-2025-0699

Medium

Published: 24 January 2025

Published
24 January 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 37.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0699 is a medium-severity Injection (CWE-74) vulnerability in Joeybling Bootplus. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0699 is a SQL injection vulnerability (CWE-74, CWE-89) in JoeyBling bootplus up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw affects an unknown functionality in the /admin/sys/role/list file, where manipulation of the sort argument triggers the injection. The product does not use versioning, so details on affected and unaffected releases are unavailable.

The vulnerability enables remote exploitation with low attack complexity and no user interaction required. Attackers need low privileges (PR:L) to target network-accessible instances, potentially achieving limited impacts on confidentiality, integrity, and availability (CVSS v3.1 base score of 6.3: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The exploit has been publicly disclosed and may be used.

Advisories and further details are available via GitHub issues at https://github.com/JoeyBling/bootplus/issues/21 and https://github.com/JoeyBling/bootplus/issues/21#issue-2786893665, as well as VulDB entries including https://vuldb.com/?ctiid.293227, https://vuldb.com/?id.293227, and https://vuldb.com/?submit.480836. No specific patch or mitigation steps are detailed in the available information.

EU & UK References

Vulnerability details

A vulnerability was found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/sys/role/list. The manipulation of the argument sort leads to sql injection. The attack…

more

can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application endpoint directly enables exploitation of a public-facing app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0701Same product: Joeybling Bootplus
CVE-2025-0698Same product: Joeybling Bootplus
CVE-2025-0700Same product: Joeybling Bootplus
CVE-2025-0702Same product: Joeybling Bootplus
CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89

Affected Assets

joeybling
bootplus
≤ 2020-08-24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes the 'sort' argument in /admin/sys/role/list to prevent SQL injection exploitation.

prevent

Requires identification, reporting, and correction of the specific SQL injection flaw up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d.

prevent

Restricts the types and characteristics of the 'sort' input to only valid sorting parameters, blocking SQL injection payloads.

References