Cyber Posture

CVE-2025-25763

Critical

Published: 06 March 2025

Published
06 March 2025
Modified
07 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25763 is a critical-severity SQL Injection (CWE-89) vulnerability in Crmeb Crmeb. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs at system entry points, directly preventing SQL injection exploitation in the vulnerable getRead() function by rejecting malicious SQL payloads.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and remediation of flaws, ensuring the specific SQL injection vulnerability in CRMEB-KY v5.4.0 and prior is patched.

SC-7 Boundary Protection partial match
prevent

Boundary protection with web application firewalls or intrusion prevention systems can monitor and block remote SQL injection attempts targeting the unauthenticated endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web application (CRMEB-KY) directly enables remote unauthenticated exploitation of the web app via arbitrary SQL queries.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

crmeb CRMEB-KY v5.4.0 and before has a SQL Injection vulnerability at getRead() in /system/SystemDatabackupServices.php

Deeper analysisAI

CVE-2025-25763 is a SQL injection vulnerability (CWE-89) affecting crmeb CRMEB-KY versions v5.4.0 and prior. The issue is located in the getRead() function within the file /system/SystemDatabackupServices.php, as published on 2025-03-06.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it critically severe. Unauthenticated attackers with network access can exploit it remotely with low attack complexity and no user interaction required, potentially achieving high impacts on confidentiality, integrity, and availability through arbitrary SQL query execution.

Advisories and additional details are available at https://github.com/J-0k3r/CVE-2025-25763 and https://github.com/J-0k3r/sql/blob/main/sql.pdf.

Details

CWE(s)
CWE-89

Affected Products

crmeb
crmeb
5.4.0

CVEs Like This One

CVE-2025-15442Same product: Crmeb Crmeb
CVE-2025-15443Same product: Crmeb Crmeb
CVE-2026-1202Same product: Crmeb Crmeb
CVE-2026-1203Same product: Crmeb Crmeb
CVE-2025-10390Same product: Crmeb Crmeb
CVE-2025-10389Same product: Crmeb Crmeb
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89

References