CVE-2025-40639

Critical

Published: 09 March 2026

Published

09 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-40639 is a critical-severity SQL Injection (CWE-89) vulnerability in Sbitsoft Eventobot. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the 'promo_send' parameter to block SQL injection payloads from compromising the database.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in '/assets/php/calculate_discount.php'.

AC-6 Least Privilege partial match

prevent

Limits the scope of damage from successful SQL injection by enforcing least privilege on the database account used by the application.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

Direct remote exploitation of public web app via SQLi (T1190) enabling full DB access/manipulation (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A SQL injection vulnerability has been found in Eventobot. This vulnerability allows an attacker to retrieve, create, update and delete databases through the 'promo_send' parameter in the '/assets/php/calculate_discount.php'.

Deeper analysisAI

CVE-2025-40639 is a SQL injection vulnerability (CWE-89) discovered in Eventobot, specifically through the 'promo_send' parameter in the '/assets/php/calculate_discount.php' endpoint. Published on 2026-03-09, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impacts across confidentiality, integrity, and availability.

The vulnerability enables an unauthenticated remote attacker with network access to exploit it with low complexity and no user interaction. Exploitation grants the ability to retrieve, create, update, and delete database contents, potentially compromising the entire backend database.

The primary advisory from INCIBE-CERT, available at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-eventobot, addresses multiple vulnerabilities in Eventobot, including CVE-2025-40639, and provides details on affected versions and recommended mitigations for security practitioners.