CVE-2025-7212
Published: 09 July 2025
Summary
CVE-2025-7212 is a low-severity Injection (CWE-74) vulnerability in Angeljudesuarez Insurance Management System. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-7212 is a SQL injection vulnerability affecting the itsourcecode Insurance Management System up to version 1.0. The flaw exists in the processing of the file /insertAgent.php, where manipulation of the agent_id argument enables SQL code injection. Rated as critical with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), it is associated with CWE-74 and CWE-89.
The vulnerability can be exploited remotely by an attacker with low privileges (PR:L), requiring low attack complexity and no user interaction. Successful exploitation grants limited impacts on confidentiality, integrity, and availability, potentially allowing unauthorized data access, modification, or disruption within the affected application's database.
Advisories referenced in VulDB entries (ctiid.315161, id.315161, submit.607909) document the issue, while a GitHub repository (wishoper/CVE/issues/3) discloses the exploit publicly for potential use. The vendor site (itsourcecode.com) is listed, but no specific patches or mitigation steps are detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20780
Vulnerability details
A vulnerability was found in itsourcecode Insurance Management System up to 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertAgent.php. The manipulation of the argument agent_id leads to sql injection. The attack…
more
may be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing PHP web app (/insertAgent.php) directly enables remote exploitation for initial access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as the agent_id parameter before it reaches SQL statements in insertAgent.php.
Limits the database privileges available to the low-privileged account used in the attack, reducing the scope of data exposure or modification possible via the injected SQL.
Enables monitoring and alerting on anomalous database queries or error patterns that would indicate attempted SQL injection against insertAgent.php.