Cyber Resilience

CVE-2025-29980

Critical

Published: 20 March 2025

Published
20 March 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0052 67.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29980 is a critical-severity SQL Injection (CWE-89) vulnerability in Centralsquare Etrakit.Net. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-29980 is a SQL injection vulnerability (CWE-89) in eTRAKiT.net release 3.2.1.77, stemming from improper input validation. This flaw affects the eTRAKiT.net software, which has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A remote unauthenticated attacker can exploit the vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary commands as the current Microsoft SQL Server account.

Advisories recommend turning off the CRM feature while using eTRAKiT.net release 3.2.1.77 as a mitigation. eTRAKiT.Net is no longer supported, and users are advised to migrate to the latest version of CentralSquare Community Development.

EU & UK References

Vulnerability details

A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrary commands as the current MS SQL server account. It is recommended that the CRM feature is turned…

more

off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in public-facing web application (eTRAKiT.net) allows remote unauthenticated arbitrary command execution, directly enabling T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-64281Same vendor: Centralsquare
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89

Affected Assets

centralsquare
etrakit.net
3.2.1.77

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the SQL injection vulnerability by requiring validation of inputs to prevent execution of arbitrary SQL commands.

prevent

Ensures timely identification, reporting, and correction of flaws like the improper input validation causing this SQL injection.

prevent

Mitigates the vulnerability by prohibiting use of unsupported system components such as the end-of-life eTRAKiT.net software.

References