CVE-2025-25914
Published: 17 March 2025
Summary
CVE-2025-25914 is a critical-severity SQL Injection (CWE-89) vulnerability in Carmelo Online Exam Mastering System. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Online Exam Mastering System version 1.0 contains a SQL injection vulnerability tracked as CVE-2025-25914. The flaw resides in the fid parameter and is classified under CWE-89, enabling unauthenticated remote code execution. It received a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and full impact on confidentiality, integrity, and availability.
An attacker with no credentials can send a crafted request containing malicious SQL to the vulnerable parameter, resulting in arbitrary code execution on the underlying server. Because the vulnerability requires no user interaction or authentication, it can be exploited directly over the internet by any remote party.
The single available reference is a public GitHub proof-of-concept that demonstrates the injection but supplies no official patch or mitigation guidance. EPSS scores for the CVE rose from a low baseline to a recorded peak of 0.0305 before settling at the current value of 0.0180, indicating a measurable increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6501
Vulnerability details
SQL injection vulnerability in Online Exam Mastering System v.1.0 allows a remote attacker to execute arbitrary code via the fid parameter
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a public-facing web application (Online Exam Mastering System) allows remote arbitrary code execution via the fid parameter, directly enabling exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by validating and sanitizing the fid parameter to reject malicious SQL payloads.
SI-2 ensures timely remediation of the specific SQL injection flaw in Online Exam Mastering System v1.0 to eliminate the vulnerability.
SI-9 restricts the types, formats, and quantity of inputs to the fid parameter, blocking oversized or malformed SQL injection attempts.