CVE-2025-1156
Published: 10 February 2025
Summary
CVE-2025-1156 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1156 is a critical SQL injection vulnerability affecting Pix Software Vivaz version 6.0.10. The issue resides in unknown code within the /servlet?act=login file, where manipulation of the "usuario" argument enables the injection. Published on 2025-02-10, it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 and CWE-89.
The vulnerability is remotely exploitable by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption via injected SQL queries.
VulDB advisories detail the public disclosure of an exploit, which may already be in use. The vendor was contacted early regarding the issue but has not responded, and no patches or mitigations are mentioned in available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2031
Vulnerability details
A vulnerability has been found in Pix Software Vivaz 6.0.10 and classified as critical. This vulnerability affects unknown code of the file /servlet?act=login. The manipulation of the argument usuario leads to sql injection. The attack can be initiated remotely. The…
more
exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web servlet enables initial access via exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation at entry points like the 'usuario' parameter in the login servlet, directly preventing SQL injection exploitation.
SI-2 requires timely identification, reporting, and correction of critical flaws such as CVE-2025-1156 SQL injection vulnerability.
RA-5 implements vulnerability scanning that would identify the SQL injection issue in Pix Software Vivaz 6.0.10.