CVE-2025-26163
Published: 14 March 2025
Summary
CVE-2025-26163 is a critical-severity SQL Injection (CWE-89) vulnerability in Cmsol Auto Atendimento. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26163 is a SQL injection vulnerability (CWE-89) in CM Soluces Informatica Ltda Auto Atendimento version 1.x.x, specifically via the CPF parameter. Published on 2025-03-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
Remote attackers require no privileges or user interaction and can exploit the issue over the network with low complexity. Successful exploitation enables arbitrary SQL query execution, granting high-impact access to confidentiality, integrity, and availability of the affected system.
A proof-of-concept for the SQL injection is available at https://github.com/Fr1t0viski/PoCs/blob/main/SQL_Injection_AutoAtendimento. No vendor advisories, patches, or mitigation guidance are detailed in the CVE references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6771
Vulnerability details
CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing web application enables exploitation for initial access (T1190) and arbitrary database queries for data collection (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing untrusted inputs like the CPF parameter before incorporation into SQL queries.
Remediates the specific SQL injection flaw in CM Soluces Informatica Ltda Auto Atendimento 1.x.x to eliminate arbitrary SQL query execution.
Deploys boundary protection such as web application firewalls to inspect and block SQL injection payloads targeting the CPF parameter.