Cyber Resilience

CVE-2025-22954

Critical

Published: 12 March 2025

Published
12 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2866 96.7th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22954 is a critical-severity SQL Injection (CWE-89) vulnerability in Koha Community (inferred from references). Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Koha before version 24.11.02 contains a SQL injection vulnerability in the GetLateOrMissingIssues function within C4/Serials.pm. The flaw is exposed through the /serials/lateissues-export.pl endpoint and can be triggered via the supplierid or serialid parameters, corresponding to CWE-89 with a CVSS 3.1 score of 10.0 reflecting network-accessible, low-complexity attack conditions that affect confidentiality, integrity, and availability with changed scope.

An unauthenticated remote attacker can supply crafted input to these parameters and execute arbitrary SQL commands against the Koha database. Successful exploitation grants full read/write access and the ability to alter or delete records, potentially leading to complete system compromise without requiring user interaction or credentials.

The referenced Koha bug report and 24.11.02 release announcement indicate that the issue is resolved by upgrading to Koha 24.11.02 or later. The associated EPSS score of 0.2866 shows no material increase from a lower baseline.

EU & UK References

Vulnerability details

GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing web endpoint (/serials/lateissues-export.pl) directly enables T1190 exploitation of public-facing applications for initial access and arbitrary database queries.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Koha Community
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating untrusted inputs such as supplierid and serialid parameters prior to use in database queries.

preventrecover

Addresses the root cause through timely flaw remediation, such as patching Koha to version 24.11.02 or later.

prevent

Restricts supplierid and serialid parameters to authorized content types, formats, and lengths to block malicious SQL payloads.

References