CVE-2025-22964
Published: 15 January 2025
Summary
CVE-2025-22964 is a high-severity SQL Injection (CWE-89) vulnerability in Ddsn Cm3 Acora Content Management System. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents SQL injection by requiring validation and sanitization of user-supplied inputs like the 'table' parameter before database query incorporation.
Mitigates the vulnerability by identifying, reporting, and correcting the specific input sanitization flaw in the cm3 Acora CMS application.
Enforces restrictions on information inputs such as the 'table' parameter to block malicious SQL injection payloads through whitelisting or format enforcement.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated time-based blind SQL injection vulnerability in a public-facing CMS enables exploitation of public-facing applications (T1190) and facilitates unauthorized data collection from databases (T1213.006) through malicious SQL queries, allowing exposure and manipulation of sensitive information.
NVD Description
DDSN Interactive cm3 Acora CMS version 10.1.1 has an unauthenticated time-based blind SQL Injection vulnerability caused by insufficient input sanitization and validation in the "table" parameter. This flaw allows attackers to inject malicious SQL queries by directly incorporating user-supplied input…
more
into database queries without proper escaping or validation. Exploiting this issue enables unauthorized access, manipulation of data, or exposure of sensitive information, posing significant risks to the integrity and confidentiality of the application.
Deeper analysisAI
CVE-2025-22964 is an unauthenticated time-based blind SQL injection vulnerability in DDSN Interactive cm3 Acora CMS version 10.1.1. The flaw arises from insufficient input sanitization and validation in the "table" parameter, which allows attackers to inject malicious SQL queries directly into database operations without proper escaping or parameterization. This CWE-89 issue was published on 2025-01-15 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to impacts on confidentiality and integrity.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables unauthorized access to the database, manipulation of data, or exposure of sensitive information, thereby compromising the application's integrity and confidentiality while having no direct impact on availability (A:N).
For details on mitigation, patches, or workarounds, refer to the advisory at https://github.com/padayali-JD/CVE-2025-22964.
Details
- CWE(s)