Cyber Posture

CVE-2025-70981

CriticalPublic PoC

Published: 12 February 2026

Published
12 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 15.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-70981 is a critical-severity SQL Injection (CWE-89) vulnerability in Fit2Cloud Cordys Crm. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by validating and sanitizing the departmentIds parameter in the /user/list endpoint.

SI-2 Flaw Remediation good match
prevent

Requires timely patching or remediation of the specific SQL injection flaw in CordysCRM 1.4.1 identified as CVE-2025-70981.

SI-9 Information Input Restrictions good match
prevent

Restricts the departmentIds input to authorized types and formats, such as numeric values only, blocking SQL injection attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct remote unauthenticated exploitation of a public-facing web app endpoint via SQL injection (CWE-89).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CordysCRM 1.4.1 is vulnerable to SQL Injection in the employee list query interface (/user/list) via the departmentIds parameter.

Deeper analysisAI

CVE-2025-70981 is a SQL injection vulnerability (CWE-89) in CordysCRM version 1.4.1, affecting the employee list query interface at the /user/list endpoint via the departmentIds parameter. Published on 2026-02-12, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing arbitrary SQL query execution to extract sensitive data, modify records, or disrupt services.

Mitigation guidance is available in the referenced advisory at https://github.com/Tomikun2/SQL-Injection-in-CordysCRM/blob/main/README.md.

Details

CWE(s)
CWE-89

Affected Products

fit2cloud
cordys crm
1.4.1

CVEs Like This One

CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89
CVE-2025-26875Shared CWE-89
CVE-2026-26263Shared CWE-89
CVE-2026-30531Shared CWE-89
CVE-2025-7636Shared CWE-89
CVE-2026-35614Shared CWE-89
CVE-2025-30810Shared CWE-89

References