CVE-2025-1374
Published: 17 February 2025
Summary
CVE-2025-1374 is a medium-severity Injection (CWE-74) vulnerability in Fabian Real Estate Property Management System. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1374 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Real Estate Property Management System 1.0. The flaw exists in an unknown part of the /search.php file, where manipulation of the arguments StateName, CityName, AreaName, or CatId enables SQL injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-17T04:15:08.643.
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants limited access to confidential information (C:L), limited modification of data integrity (I:L), and limited denial of service (A:L), all within unchanged scope.
VulDB advisories detail the issue across entries like ctiid.295983 and id.295983, with a proof-of-concept exploit disclosed publicly in a GitHub repository (sql-gu2.pdf). The original project page at code-projects.org provides further context, but no specific patches or mitigations are outlined in the references. The exploit availability heightens the risk for exposed instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2132
Vulnerability details
A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. This affects an unknown part of the file /search.php. The manipulation of the argument StateName/CityName/AreaName/CatId leads to sql injection. It is possible to initiate…
more
the attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/search.php) enables remote exploitation (T1190), unauthorized database access and collection (T1213.006), and abuse of server software component (T1505, per advisory).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like StateName, CityName, AreaName, and CatId in /search.php.
SI-2 requires timely flaw remediation to patch or fix the SQL injection vulnerability in /search.php, eliminating the root cause.
SI-9 restricts input types, lengths, and rates for vulnerable parameters, limiting opportunities for SQL injection payloads.