Cyber Resilience

CVE-2025-51683

CriticalPublic PoC

Published: 01 December 2025

Published
01 December 2025
Modified
04 December 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51683 is a critical-severity SQL Injection (CWE-89) vulnerability in Mjobtime Mjobtime. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-51683 is a blind SQL injection (SQLi) vulnerability in mJobtime version 15.7.2, a time management software accessible via mjobtime.com. Published on 2025-12-01, the flaw resides in the /Default.aspx/update_profile_Server endpoint, where unauthenticated attackers can execute arbitrary SQL statements through a crafted POST request. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-89.

Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. By sending a specially crafted POST request, they can inject and execute arbitrary SQL statements, potentially compromising the confidentiality, integrity, and availability of the database with high impact.

Advisories such as the one from InfoGuard Labs (covering CVE-2025-51682 and CVE-2025-51683) describe the SQLi in this time management software, including paths to potential RCE. Practitioners should consult these references and the vendor site at mjobtime.com for mitigation details, patch availability, or workarounds.

EU & UK References

Vulnerability details

A blind SQL Injection (SQLi) vulnerability in mJobtime v15.7.2 allows unauthenticated attackers to execute arbitrary SQL statements via a crafted POST request to the /Default.aspx/update_profile_Server endpoint .

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

CVE describes unauthenticated blind SQLi in public-facing web endpoint (/Default.aspx), enabling arbitrary SQL execution for DB access (T1190, T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-51682Same product: Mjobtime Mjobtime
CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89

Affected Assets

mjobtime
mjobtime
15.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of POST request inputs to the /Default.aspx/update_profile_Server endpoint to block SQL injection payloads.

prevent

Mandates timely remediation of the blind SQLi flaw in mJobtime v15.7.2 through patching or code correction.

prevent

Enforces authentication requirements for access to the vulnerable endpoint, blocking unauthenticated remote attackers.

References