CVE-2025-10266
Published: 12 September 2025
Summary
CVE-2025-10266 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-10266 is a SQL injection vulnerability (CWE-89) affecting NUP Pro, a product developed by NewType Infortech. Published on 2025-09-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites. The flaw enables unauthenticated remote attackers to inject arbitrary SQL commands, potentially compromising the underlying database.
Unauthenticated attackers can exploit this vulnerability remotely over the network with minimal effort, requiring no privileges, user interaction, or special conditions. Successful exploitation allows attackers to read sensitive data, modify database contents, and delete records, leading to high impacts on confidentiality, integrity, and availability.
Advisories detailing the issue are available from TWCERT/CC at https://www.twcert.org.tw/en/cp-139-10378-4fd0d-2.html and https://www.twcert.org.tw/tw/cp-132-10377-89750-1.html, which security practitioners should consult for mitigation guidance and patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29038
Vulnerability details
NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote SQL injection in a public-facing application maps to exploitation of public-facing apps for initial access and database compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating CVE-2025-10266 by patching the SQL injection vulnerability in NUP Pro.
SI-10 mandates validation and sanitization of information inputs, preventing unauthenticated attackers from injecting arbitrary SQL commands as in CVE-2025-10266.
SC-7 provides boundary protection via web application firewalls or similar mechanisms to block or detect SQL injection attempts exploiting CVE-2025-10266.