CVE-2025-1374

MediumPublic PoC

Published: 17 February 2025

Published

17 February 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 19.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1374 is a medium-severity Injection (CWE-74) vulnerability in Fabian Real Estate Property Management System. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like StateName, CityName, AreaName, and CatId in /search.php.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation to patch or fix the SQL injection vulnerability in /search.php, eliminating the root cause.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts input types, lengths, and rates for vulnerable parameters, limiting opportunities for SQL injection payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505 Server Software Component Persistence

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (/search.php) enables remote exploitation (T1190), unauthorized database access and collection (T1213.006), and abuse of server software component (T1505, per advisory).

NVD Description

A vulnerability classified as critical has been found in code-projects Real Estate Property Management System 1.0. This affects an unknown part of the file /search.php. The manipulation of the argument StateName/CityName/AreaName/CatId leads to sql injection. It is possible to initiate…

the attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1374 is a critical SQL injection vulnerability (CWE-74, CWE-89) affecting code-projects Real Estate Property Management System 1.0. The flaw exists in an unknown part of the /search.php file, where manipulation of the arguments StateName, CityName, AreaName, or CatId enables SQL injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-02-17T04:15:08.643.

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation grants limited access to confidential information (C:L), limited modification of data integrity (I:L), and limited denial of service (A:L), all within unchanged scope.

VulDB advisories detail the issue across entries like ctiid.295983 and id.295983, with a proof-of-concept exploit disclosed publicly in a GitHub repository (sql-gu2.pdf). The original project page at code-projects.org provides further context, but no specific patches or mitigations are outlined in the references. The exploit availability heightens the risk for exposed instances.

Details

CWE(s): CWE-74 CWE-89

Affected Products

fabian

real estate property management system

1.0

CVEs Like This One

CVE-2025-1197Same product: Fabian Real Estate Property Management System

CVE-2025-2419Same product: Fabian Real Estate Property Management System

CVE-2025-2384Same product: Fabian Real Estate Property Management System

CVE-2025-1576Same product: Fabian Real Estate Property Management System

CVE-2025-0230Same vendor: Fabian

CVE-2025-2391Same vendor: Fabian

CVE-2025-2985Same vendor: Fabian

CVE-2025-2854Same vendor: Fabian

CVE-2025-0229Same vendor: Fabian

CVE-2025-2389Same vendor: Fabian

References

https://code-projects.org/
Product · cna@vuldb.com
https://github.com/1337g/realestatepropertymanagement_poc/blob/main/sql-gu2.pdf
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/?ctiid.295983
Permissions Required, VDB Entry · cna@vuldb.com
https://vuldb.com/?id.295983
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/?submit.499767
Third Party Advisory, VDB Entry · cna@vuldb.com