Cyber Resilience

CVE-2025-63689

CriticalPublic PoC

Published: 07 November 2025

Published
07 November 2025
Modified
05 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0034 57.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63689 is a critical-severity SQL Injection (CWE-89) vulnerability in Ycf1998 Money-Pos. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63689 is a set of multiple SQL injection vulnerabilities (CWE-89) affecting the ycf1998 money-pos system prior to commit 11f276bd20a41f089298d804e43cb1c39d041e59, released on 2025-09-14. These flaws allow a remote attacker to execute arbitrary code by exploiting the orderby parameter. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and potential for scope change with high impacts across confidentiality, integrity, and availability.

Any unauthenticated remote attacker can exploit this vulnerability over the network with minimal effort. Successful exploitation enables arbitrary code execution on the affected system, potentially leading to full server compromise, data exfiltration, or further lateral movement within the environment.

Mitigation is available via the patching commit at https://github.com/ycf1998/money-pos/commit/11f276bd20a41f089298d804e43cb1c39d041e59. Additional details, including a proof-of-concept, are documented in the GitHub issue at https://github.com/ycf1998/money-pos/issues/3 and a related gist at https://gist.github.com/LockeTom/2ed0f3751c88542f48b7c230468d2a46. Security practitioners should verify and apply the update immediately on affected deployments.

EU & UK References

Vulnerability details

Multiple SQL injection vulnerabilitites in ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) allows a remote attacker to execute arbitrary code via the orderby parameter

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in a public-facing web application (money-pos system) allows unauthenticated remote attackers to achieve arbitrary code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

ycf1998
money-pos
≤ 2025-09-14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection vulnerabilities by requiring validation of untrusted inputs like the orderby parameter to ensure they do not alter SQL queries.

prevent

SI-2 mandates timely identification, reporting, and patching of flaws such as the SQL injection issues fixed in the specified commit.

prevent

SC-7 enables boundary protection devices like web application firewalls to inspect and block malicious SQL injection payloads targeting the orderby parameter.

References