Cyber Resilience

CVE-2025-26163

CriticalPublic PoC

Published: 14 March 2025

Published
14 March 2025
Modified
03 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 24.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26163 is a critical-severity SQL Injection (CWE-89) vulnerability in Cmsol Auto Atendimento. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26163 is a SQL injection vulnerability (CWE-89) in CM Soluces Informatica Ltda Auto Atendimento version 1.x.x, specifically via the CPF parameter. Published on 2025-03-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Remote attackers require no privileges or user interaction and can exploit the issue over the network with low complexity. Successful exploitation enables arbitrary SQL query execution, granting high-impact access to confidentiality, integrity, and availability of the affected system.

A proof-of-concept for the SQL injection is available at https://github.com/Fr1t0viski/PoCs/blob/main/SQL_Injection_AutoAtendimento. No vendor advisories, patches, or mitigation guidance are detailed in the CVE references.

EU & UK References

Vulnerability details

CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection vulnerability in public-facing web application enables exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

cmsol
auto atendimento
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing untrusted inputs like the CPF parameter before incorporation into SQL queries.

prevent

Remediates the specific SQL injection flaw in CM Soluces Informatica Ltda Auto Atendimento 1.x.x to eliminate arbitrary SQL query execution.

prevent

Deploys boundary protection such as web application firewalls to inspect and block SQL injection payloads targeting the CPF parameter.

References