CVE-2025-26200
Published: 24 February 2025
Summary
CVE-2025-26200 is a high-severity SQL Injection (CWE-89) vulnerability in Slims Senayan Library Management System. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 19.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26200 is a SQL injection vulnerability, tracked under CWE-89, that affects SLIMS version 9.6.1. The flaw resides in the visitor_report_day.php component and is triggered through the month parameter, enabling unauthorized database manipulation.
A remote attacker with high privileges can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation yields full read, write, and disruption capabilities on the affected system, corresponding to the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability.
The two referenced sources consist of a GitHub issue tracker entry for the SLIMS project and a technical blog post; neither supplies explicit patch details or mitigation steps in the available information. The associated EPSS scores remain low and essentially flat, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4291
Vulnerability details
SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web component directly enables remote exploitation of public-facing app for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the month parameter to prevent SQL injection exploitation.
Mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability in SLIMS.
Enforces least privilege to limit the scope and impact of privilege escalation achieved via successful SQL injection.