CVE-2025-25876
Published: 21 February 2025
Summary
CVE-2025-25876 is a high-severity SQL Injection (CWE-89) vulnerability in Angeljudesuarez Simple Chatbox. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-25876 is a SQL injection vulnerability (CWE-89) discovered in ITSourcecode Simple ChatBox versions up to 1.0. The issue resides in unknown code within the /delete.php file, enabling attackers to obtain sensitive data through malicious SQL queries.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity and no user interaction required, but necessitates high privileges (PR:H) such as authenticated administrative access. Attackers with sufficient permissions can achieve high impacts across confidentiality, integrity, and availability, potentially extracting sensitive data, modifying database contents, or disrupting services.
A proof-of-concept exploit is documented in the reference at https://github.com/SticKManII/cve-poc/blob/main/chat-box/2/poc.md. No vendor advisories, patches, or specific mitigation guidance are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4300
Vulnerability details
A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /delete.php. The attack can use SQL injection to obtain sensitive data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (/delete.php) enables exploitation of public-facing application (T1190) and collection of sensitive data from databases (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs at entry points like /delete.php, directly preventing SQL injection attacks by rejecting malicious SQL queries.
SI-2 mandates identification, reporting, and timely remediation of flaws, directly addressing the need to patch the SQL injection vulnerability in Simple ChatBox.
AC-6 enforces least privilege, reducing the attack surface by limiting high-privilege (PR:H) access required to exploit the SQL injection in /delete.php.