CVE-2025-2118
Published: 09 March 2025
Summary
CVE-2025-2118 is a medium-severity Injection (CWE-74) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-2118 is a critical SQL injection vulnerability in Quantico Tecnologia PRMV version 6.48. It affects an unknown part of the file /admin/login.php within the Login Endpoint component, where manipulation of the username argument enables the injection. The issue, linked to CWE-74 and CWE-89, carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-09.
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring no privileges or user interaction. Successful exploitation allows limited impacts on confidentiality, integrity, and availability through SQL injection via the username parameter during login attempts.
Advisories and details are available from VulDB entries at https://vuldb.com/?ctiid.299013, https://vuldb.com/?id.299013, and https://vuldb.com/?submit.506948, as well as a GitHub repository at https://github.com/yago3008/cves. The exploit has been publicly disclosed and may be used by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7503
Vulnerability details
A vulnerability was found in Quantico Tecnologia PRMV 6.48. It has been classified as critical. This affects an unknown part of the file /admin/login.php of the component Login Endpoint. The manipulation of the argument username leads to sql injection. It…
more
is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote SQL injection vulnerability in a public-facing web application login endpoint (/admin/login.php), enabling unauthenticated attackers to exploit the application directly, which maps to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating the username input parameter in the /admin/login.php endpoint against malicious payloads.
Requires timely remediation of the specific SQL injection flaw in Quantico Tecnologia PRMV 6.48 to eliminate the vulnerability.
Restricts harmful characters and patterns in the username input to the login endpoint, mitigating SQL injection attempts.