CVE-2025-25222

Critical

Published: 18 February 2025

Published

18 February 2025

Modified

15 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 3.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25222 is a critical-severity SQL Injection (CWE-89) vulnerability in Luxsoft Luxcal Web Calendar. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating and sanitizing user inputs to retrieve.php to prevent SQL injection attacks from executing arbitrary database commands.

SI-2 Flaw Remediation good match

prevent

Mandates timely patching and flaw remediation, such as upgrading LuxCal to versions 5.3.3M or 5.3.3L to eliminate the SQL injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify SQL injection flaws like CVE-2025-25222 in the retrieve.php component prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The SQL injection in the public-facing retrieve.php web component allows remote unauthenticated exploitation via crafted requests, directly mapping to T1190 Exploit Public-Facing Application. Resulting DB access enables data retrieval/modification/deletion but the core exploitation technique is T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.

Deeper analysisAI

CVE-2025-25222 is an SQL injection vulnerability (CWE-89) affecting the LuxCal Web Calendar application in versions prior to 5.3.3M for the MySQL variant and prior to 5.3.3L for the SQLite variant. The flaw resides in the retrieve.php component, which fails to properly sanitize user inputs, enabling malicious SQL queries. It carries a CVSS v3.1 base score of 9.8 (Critical), reflecting network accessibility, low attack complexity, no required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.

A remote, unauthenticated attacker can exploit this vulnerability by sending crafted requests to retrieve.php, potentially executing arbitrary SQL commands. Successful exploitation allows the attacker to retrieve sensitive database information, alter records, or delete data, compromising the entire backend database of affected LuxCal instances.

Advisories from JVN (JVN#26024080) and the official LuxSoft resources detail mitigation through upgrading to LuxCal 5.3.3M (MySQL) or 5.3.3L (SQLite), available via the project download page and discussed in the LuxCal forum. Administrators should review these references for patch deployment and verify configurations to prevent exploitation.