CVE-2025-2132
Published: 09 March 2025
Summary
CVE-2025-2132 is a medium-severity Injection (CWE-74) vulnerability in Ftcms Ftcms. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Server Software Component (T1505); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of the manipulable 'name' argument in the Search component.
Mandates timely identification, reporting, and correction of flaws like this unpatched SQL injection vulnerability.
Enables detection of the SQL injection vulnerability through regular monitoring and scanning of the affected ftcms application.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in the ftCMS admin search endpoint (/admin/index.php/web/ajax_all_lists) enables exploitation of a server software component (T1505) and facilitates unauthorized data collection from the database (T1213.006).
NVD Description
A vulnerability classified as critical has been found in ftcms 2.1. Affected is an unknown function of the file /admin/index.php/web/ajax_all_lists of the component Search. The manipulation of the argument name leads to sql injection. It is possible to launch the…
more
attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-2132 is a SQL injection vulnerability classified as critical in ftcms version 2.1. The issue affects an unknown function within the file /admin/index.php/web/ajax_all_lists of the Search component, where manipulation of the "name" argument enables the injection. It carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-89 (SQL Injection).
The vulnerability can be exploited remotely by attackers with high privileges (PR:H), such as authenticated administrators, requiring low attack complexity and no user interaction. Successful exploitation allows limited impacts: low confidentiality (C:L) via potential data disclosure, low integrity (I:L) through data modification, and low availability (A:L) disruption.
Advisories from VulDB detail the issue, noting public disclosure of an exploit and early vendor notification without response. References include a GitHub issue at https://github.com/ahieafe/zpp/issues/2 and VulDB entries at https://vuldb.com/?ctiid.299052, https://vuldb.com/?id.299052, and https://vuldb.com/?submit.511614; no patches or mitigations are mentioned.
The exploit has been publicly disclosed and may be actively used, with no vendor remediation available as of publication on 2025-03-09.
Details
- CWE(s)