CVE-2025-70024
Published: 11 March 2026
Summary
CVE-2025-70024 is a critical-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-70024 is an SQL injection vulnerability classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) affecting benkeen generatedata version 4.0.14. This open-source tool for generating test data was published with the CVE on 2026-03-11T21:16:13.213 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impacts across confidentiality, integrity, and availability.
The vulnerability enables exploitation by unauthenticated remote attackers over the network with low attack complexity and no requirement for user interaction. Successful exploitation could allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion, as well as full system compromise depending on the application's database configuration and privileges.
Mitigation details are referenced in advisories at https://gist.github.com/zcxlighthouse/4983275f71824ff47b9bdca9de7cb36a, the project owner's GitHub page https://github.com/benkeen, and the generatedata repository https://github.com/benkeen/generatedata. Security practitioners should review these sources for patches, workarounds, or upgrade guidance specific to version 4.0.14.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208599
Vulnerability details
An issue pertaining to CWE-89: Improper Neutralization of Special Elements used in an SQL Command was discovered in benkeen generatedata 4.0.14.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web app (generatedata) directly enables remote unauthenticated exploitation per T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of information inputs at system interfaces using defined tools and procedures, directly preventing SQL injection (CWE-89) by neutralizing special elements used in SQL commands.
SI-2 mandates timely identification, reporting, and correction of system flaws, directly mitigating CVE-2025-70024 through patching or upgrading the vulnerable generatedata 4.0.14.
SC-7 provides boundary protection at external interfaces, enabling web application firewalls or proxies to block or detect SQL injection attempts against the unauthenticated remote endpoint.