CVE-2025-1464
Published: 19 February 2025
Summary
CVE-2025-1464 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of user inputs like the project_id parameter to block SQL injection attempts in /wuser/admin.house.collect.php.
Mandates identification, reporting, and correction of critical flaws like this unauthenticated SQL injection vulnerability despite vendor non-response.
Requires regular vulnerability scanning that would identify and enable remediation of the publicly disclosed SQL injection in the affected system versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated SQL injection in a public-facing web application endpoint enables exploitation of the app itself.
NVD Description
A vulnerability, which was classified as critical, has been found in Baiyi Cloud Asset Management System up to 20250204. This issue affects some unknown processing of the file /wuser/admin.house.collect.php. The manipulation of the argument project_id leads to sql injection. The…
more
attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-1464 is a critical SQL injection vulnerability in the Baiyi Cloud Asset Management System versions up to 20250204. The flaw resides in the processing of the /wuser/admin.house.collect.php file, where the project_id argument is vulnerable to manipulation, allowing injection of malicious SQL code. It has been assigned CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity and no user interaction required. By sending a crafted request manipulating the project_id parameter, an attacker can execute arbitrary SQL queries, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories from VulDB and a GitHub issue detail the vulnerability, including a publicly disclosed exploit. No patches or vendor responses are available, as the vendor was contacted early but did not reply.
The exploit has been made public and may be actively used, increasing the risk for exposed instances of the affected software.
Details
- CWE(s)