Cyber Resilience

CVE-2025-67829

Critical

Published: 18 March 2026

Published
18 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0026 17.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67829 is a critical-severity SQL Injection (CWE-89) vulnerability in Murasoftware Mura Cms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67829 is a SQL injection vulnerability (CWE-89) affecting Mura CMS versions prior to 10.1.14. The issue resides in the beanFeed.cfc component, where the getQuery function fails to properly sanitize the sortDirection parameter, enabling attackers to inject malicious SQL payloads.

With a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this vulnerability is exploitable remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing arbitrary SQL execution such as data exfiltration, modification, or database disruption.

Mitigation is available via upgrade to Mura version 10.1.14 or later, as detailed in the official release notes at https://docs.murasoftware.com/v10/release-notes/#section-version-1014.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mura before 10.1.14 allows beanFeed.cfc getQuery sortDirection SQL injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote exploitation of public-facing web app via unsanitized SQL parameter in Mura CMS (classic SQLi initial access vector).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67830Same product: Murasoftware Mura Cms
CVE-2025-55044Same product: Murasoftware Mura Cms
CVE-2025-55046Same product: Murasoftware Mura Cms
CVE-2025-55045Same product: Murasoftware Mura Cms
CVE-2025-55041Same product: Murasoftware Mura Cms
CVE-2025-55040Same product: Murasoftware Mura Cms
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

murasoftware
mura cms
≤ 10.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection in the sortDirection parameter by enforcing validation of untrusted inputs to the beanFeed.cfc getQuery function.

prevent

Requires timely remediation of the SQL injection flaw in Mura CMS versions prior to 10.1.14 through patching or upgrades.

prevent

Restricts the sortDirection parameter to authorized values such as 'ASC' or 'DESC', blocking malicious SQL payloads.

References