Cyber Resilience

CVE-2025-0701

Medium

Published: 24 January 2025

Published
24 January 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0012 30.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0701 is a medium-severity Injection (CWE-74) vulnerability in Joeybling Bootplus. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0701 is a critical SQL injection vulnerability in the JoeyBling bootplus project, affecting an unknown part of the /admin/sys/user/list file up to commit 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. The flaw stems from manipulation of the "sort" argument, classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection). It was published on 2025-01-24 and carries a CVSS v3.1 base score of 6.3.

An attacker can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N), without changing scope (S:U). Successful exploitation enables limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), potentially allowing unauthorized data access, modification, or disruption via injected SQL queries.

Advisories on VulDB (ctiid.293229, id.293229) and GitHub (JoeyBling/bootplus issues #23 and #2786909921) confirm the remote exploitability and note that it has been publicly disclosed and may be used. The project follows a rolling release model for continuous delivery, so no specific versions for affected or updated releases are provided; security practitioners should update to the latest commits for mitigation.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in JoeyBling bootplus up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d. This affects an unknown part of the file /admin/sys/user/list. The manipulation of the argument sort leads to sql injection. It is possible to initiate the attack…

more

remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote SQL injection in a web admin endpoint enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0698Same product: Joeybling Bootplus
CVE-2025-0699Same product: Joeybling Bootplus
CVE-2025-0700Same product: Joeybling Bootplus
CVE-2025-0702Same product: Joeybling Bootplus
CVE-2026-3150Shared CWE-74, CWE-89
CVE-2026-3746Shared CWE-74, CWE-89
CVE-2025-2683Shared CWE-74, CWE-89
CVE-2026-5238Shared CWE-74, CWE-89
CVE-2026-4288Shared CWE-74, CWE-89
CVE-2026-2220Shared CWE-74, CWE-89

Affected Assets

joeybling
bootplus
≤ 2020-08-24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the specific SQL injection flaw in the bootplus /admin/sys/user/list endpoint via patches or updates to latest commits.

prevent

Enforces validation and sanitization of the 'sort' argument to neutralize SQL injection payloads before they reach database queries.

prevent

Restricts the 'sort' parameter to whitelisted values, blocking unauthorized SQL injection attempts through input limitations.

References