CVE-2025-63624
Published: 03 February 2026
Summary
CVE-2025-63624 is a critical-severity SQL Injection (CWE-89) vulnerability in Sdkede Iot Smart Water Meter Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-63624 is a SQL injection vulnerability (CWE-89) in the IoT smart water meter monitoring platform version 1.0 from Shandong Kede Electronics Co., Ltd. The issue resides in the imei_list.aspx file and allows a remote attacker to execute arbitrary code. Published on 2026-02-03, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation enables arbitrary code execution on the affected system, potentially leading to complete compromise of the monitoring platform and connected IoT water meters.
A GitHub repository documents unauthorized remote code execution in this platform, including a proof-of-concept: https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206728
Vulnerability details
SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection (CWE-89) in public-facing web endpoint (imei_list.aspx) enables unauthenticated remote arbitrary code execution, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection in imei_list.aspx by validating and sanitizing untrusted inputs to block malicious SQL code execution.
Mandates identification, reporting, and correction of the specific SQL injection flaw, eliminating the vulnerability through patching or code fixes.
Requires regular vulnerability scanning to detect the SQL injection issue in the IoT platform, enabling proactive remediation before remote exploitation.