Cyber Resilience

CVE-2025-25876

HighPublic PoC

Published: 21 February 2025

Published
21 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25876 is a high-severity SQL Injection (CWE-89) vulnerability in Angeljudesuarez Simple Chatbox. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25876 is a SQL injection vulnerability (CWE-89) discovered in ITSourcecode Simple ChatBox versions up to 1.0. The issue resides in unknown code within the /delete.php file, enabling attackers to obtain sensitive data through malicious SQL queries.

The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required, but necessitates high privileges (PR:H) such as authenticated administrative access. Attackers with sufficient permissions can achieve high impacts across confidentiality, integrity, and availability, potentially extracting sensitive data, modifying database contents, or disrupting services.

A proof-of-concept exploit is documented in the reference at https://github.com/SticKManII/cve-poc/blob/main/chat-box/2/poc.md. No vendor advisories, patches, or specific mitigation guidance are detailed in the available information.

EU & UK References

Vulnerability details

A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /delete.php. The attack can use SQL injection to obtain sensitive data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing web application (/delete.php) enables exploitation of public-facing application (T1190) and collection of sensitive data from databases (T1213.006).

CVEs Like This One

CVE-2025-0949Same vendor: Angeljudesuarez
CVE-2025-0943Same vendor: Angeljudesuarez
CVE-2025-0540Same vendor: Angeljudesuarez
CVE-2025-0948Same vendor: Angeljudesuarez
CVE-2025-0944Same vendor: Angeljudesuarez
CVE-2025-0945Same vendor: Angeljudesuarez
CVE-2025-0873Same vendor: Angeljudesuarez
CVE-2026-3149Same vendor: Angeljudesuarez
CVE-2026-3410Same vendor: Angeljudesuarez
CVE-2025-0947Same vendor: Angeljudesuarez

Affected Assets

angeljudesuarez
simple chatbox
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of information inputs at entry points like /delete.php, directly preventing SQL injection attacks by rejecting malicious SQL queries.

prevent

SI-2 mandates identification, reporting, and timely remediation of flaws, directly addressing the need to patch the SQL injection vulnerability in Simple ChatBox.

prevent

AC-6 enforces least privilege, reducing the attack surface by limiting high-privilege (PR:H) access required to exploit the SQL injection in /delete.php.

References