CVE-2025-25181

MediumCISA KEVActive ExploitationPublic PoC

Published: 03 February 2025

Published

03 February 2025

Modified

05 November 2025

KEV Added

10 March 2025

Patch

—

CVSS Score 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

EPSS Score 0.7205 98.8th percentile

Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25181 is a medium-severity SQL Injection (CWE-89) vulnerability in Advantive Veracore. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the SQL injection flaw in timeoutWarning.asp.

SI-10 Information Input Validation good match

prevent

Prevents SQL injection exploitation by enforcing validation of malicious inputs like the PmSess1 parameter before processing.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Enables detection of the SQL injection vulnerability in VeraCore through regular scanning, facilitating proactive remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

SQL injection enables exploitation of public-facing web applications (T1190) for initial access, arbitrary SQL execution for database data collection (T1213.006), and facilitates webshell deployment for remote execution (T1100) and persistence (T1505.003) as observed in adversary activity.

NVD Description

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.

Deeper analysisAI

CVE-2025-25181 is a SQL injection vulnerability (CWE-89) in the timeoutWarning.asp component of Advantive VeraCore through version 2025.1.0. It allows remote attackers to execute arbitrary SQL commands by injecting malicious input via the PmSess1 parameter. The vulnerability has a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N), indicating network accessibility with low complexity, no privileges or user interaction required, a changed scope, and limited impact to confidentiality.

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction. Successful exploitation enables execution of arbitrary SQL commands, potentially leading to limited unauthorized disclosure of sensitive data, as reflected in the CVSS confidentiality impact.

Advisories from Advantive's support knowledge base detail mitigation steps, while CISA has added CVE-2025-25181 to its Known Exploited Vulnerabilities catalog. Research from Intezer and Solis Security highlights active exploitation by the XE Group threat actor.

This vulnerability has seen real-world exploitation, with threat actors transitioning from credit card skimming to zero-day abuse, underscoring the need for immediate patching in affected VeraCore deployments.