CVE-2025-0929
Published: 31 January 2025
Summary
CVE-2025-0929 is a critical-severity SQL Injection (CWE-89) vulnerability in Incibe (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-0929 is a SQL injection vulnerability affecting TeamCal Neo version 3.8.2. The flaw resides in the handling of the ‘abs’ parameter within /teamcal/src/index.php and is classified under CWE-89. Successful exploitation permits an attacker to inject arbitrary SQL statements that can retrieve, modify, or delete any data stored in the application’s database.
The vulnerability can be exploited remotely by an unauthenticated attacker over the network. With a CVSS score of 9.8, the issue requires no user interaction or credentials, enabling an adversary to achieve full read/write/delete access to the database contents and potentially compromise the integrity and availability of the TeamCal Neo installation.
The referenced INCIBE advisory addresses multiple vulnerabilities in TeamCal Neo, including this issue, and is the primary public source for further details on affected versions and recommended actions. The associated EPSS score remains low, with a current value of 0.0135 and a peak of 0.0174.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1930
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SQL injection in a remotely accessible web endpoint directly enables initial access via exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted inputs like the 'abs' parameter in '/teamcal/src/index.php' to block malicious SQL injection statements.
Requires timely identification, reporting, and correction of the specific SQL injection flaw in TeamCal Neo version 3.8.2.
Enables vulnerability scanning to identify SQL injection issues like CVE-2025-0929 in web applications prior to exploitation.