Cyber Resilience

CVE-2025-10266

Critical

Published: 12 September 2025

Published
12 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 39.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10266 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10266 is a SQL injection vulnerability (CWE-89) affecting NUP Pro, a product developed by NewType Infortech. Published on 2025-09-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites. The flaw enables unauthenticated remote attackers to inject arbitrary SQL commands, potentially compromising the underlying database.

Unauthenticated attackers can exploit this vulnerability remotely over the network with minimal effort, requiring no privileges, user interaction, or special conditions. Successful exploitation allows attackers to read sensitive data, modify database contents, and delete records, leading to high impacts on confidentiality, integrity, and availability.

Advisories detailing the issue are available from TWCERT/CC at https://www.twcert.org.tw/en/cp-139-10378-4fd0d-2.html and https://www.twcert.org.tw/tw/cp-132-10377-89750-1.html, which security practitioners should consult for mitigation guidance and patch information.

EU & UK References

Vulnerability details

NUP Pro developed by NewType Infortech has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote SQL injection in a public-facing application maps to exploitation of public-facing apps for initial access and database compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating CVE-2025-10266 by patching the SQL injection vulnerability in NUP Pro.

prevent

SI-10 mandates validation and sanitization of information inputs, preventing unauthenticated attackers from injecting arbitrary SQL commands as in CVE-2025-10266.

preventdetect

SC-7 provides boundary protection via web application firewalls or similar mechanisms to block or detect SQL injection attempts exploiting CVE-2025-10266.

References