CVE-2025-29980
Published: 20 March 2025
Summary
CVE-2025-29980 is a critical-severity SQL Injection (CWE-89) vulnerability in Centralsquare Etrakit.Net. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-29980 is a SQL injection vulnerability (CWE-89) in eTRAKiT.net release 3.2.1.77, stemming from improper input validation. This flaw affects the eTRAKiT.net software, which has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
A remote unauthenticated attacker can exploit the vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to execute arbitrary commands as the current Microsoft SQL Server account.
Advisories recommend turning off the CRM feature while using eTRAKiT.net release 3.2.1.77 as a mitigation. eTRAKiT.Net is no longer supported, and users are advised to migrate to the latest version of CentralSquare Community Development.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7153
Vulnerability details
A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrary commands as the current MS SQL server account. It is recommended that the CRM feature is turned…
more
off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (eTRAKiT.net) allows remote unauthenticated arbitrary command execution, directly enabling T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the SQL injection vulnerability by requiring validation of inputs to prevent execution of arbitrary SQL commands.
Ensures timely identification, reporting, and correction of flaws like the improper input validation causing this SQL injection.
Mitigates the vulnerability by prohibiting use of unsupported system components such as the end-of-life eTRAKiT.net software.