Cyber Resilience

CVE-2025-67830

Critical

Published: 18 March 2026

Published
18 March 2026
Modified
21 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 23.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67830 is a critical-severity SQL Injection (CWE-89) vulnerability in Murasoftware Mura Cms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67830 is a SQL injection vulnerability (CWE-89) in the beanFeed.cfc component of Mura CMS versions prior to 10.1.14. The flaw resides in the getQuery function, where the sortby parameter fails to properly sanitize user input, allowing malicious SQL payloads to be injected into database queries. This critical issue carries a CVSS v3.1 base score of 9.8, reflecting its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability over the network by crafting requests with malicious sortby parameters to the affected endpoint. Successful exploitation enables arbitrary SQL query execution, potentially allowing full database compromise, data exfiltration, modification, or deletion, as well as potential server takeover depending on database privileges and configuration.

The Mura release notes for version 10.1.14 document the fix for this vulnerability, recommending immediate upgrade to this or later versions as the primary mitigation. Additional defensive measures include input validation on the sortby parameter and web application firewall rules to detect SQL injection patterns, though patching remains essential. The CVE was published on 2026-03-18.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of a public-facing web application component via SQL injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67829Same product: Murasoftware Mura Cms
CVE-2025-55044Same product: Murasoftware Mura Cms
CVE-2025-55046Same product: Murasoftware Mura Cms
CVE-2025-55045Same product: Murasoftware Mura Cms
CVE-2025-55041Same product: Murasoftware Mura Cms
CVE-2025-55040Same product: Murasoftware Mura Cms
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89
CVE-2021-47872Shared CWE-89

Affected Assets

murasoftware
mura cms
≤ 10.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SQL injection by requiring timely application of the vendor patch (Mura 10.1.14) that sanitizes the sortby parameter.

prevent

Enforces validation of the user-supplied sortby parameter in beanFeed.cfc getQuery to block malicious SQL payloads.

preventdetect

Deploys web application firewall at system boundaries to inspect and block SQL injection patterns in sortby parameter requests.

References