Cyber Resilience

CVE-2025-63624

CriticalPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0063 45.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-63624 is a critical-severity SQL Injection (CWE-89) vulnerability in Sdkede Iot Smart Water Meter Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-63624 is a SQL injection vulnerability (CWE-89) in the IoT smart water meter monitoring platform version 1.0 from Shandong Kede Electronics Co., Ltd. The issue resides in the imei_list.aspx file and allows a remote attacker to execute arbitrary code. Published on 2026-02-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation enables arbitrary code execution on the affected system, potentially leading to complete compromise of the monitoring platform and connected IoT water meters.

A GitHub repository documents unauthorized remote code execution in this platform, including a proof-of-concept: https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection (CWE-89) in public-facing web endpoint (imei_list.aspx) enables unauthenticated remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89
CVE-2025-28873Shared CWE-89
CVE-2019-25636Shared CWE-89
CVE-2026-32611Shared CWE-89
CVE-2026-42755Shared CWE-89
CVE-2024-53544Shared CWE-89
CVE-2026-21410Shared CWE-89

Affected Assets

sdkede
iot smart water meter firmware
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection in imei_list.aspx by validating and sanitizing untrusted inputs to block malicious SQL code execution.

prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw, eliminating the vulnerability through patching or code fixes.

prevent

Requires regular vulnerability scanning to detect the SQL injection issue in the IoT platform, enabling proactive remediation before remote exploitation.

References