CVE-2025-7918
Published: 21 July 2025
Summary
CVE-2025-7918 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-7918 is a SQL injection vulnerability (CWE-89) affecting the WinMatrix3 Web package developed by Simopro Technology. Published on 2025-07-21T06:15:29.160, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. Exploitation allows injection of arbitrary SQL commands, enabling attackers to read, modify, and delete database contents, compromising confidentiality, integrity, and availability.
Mitigation details are available in advisories from TWCERT/CC, including https://www.twcert.org.tw/en/cp-139-10264-6c4b7-2.html and https://www.twcert.org.tw/tw/cp-132-10259-b4b38-1.html. Security practitioners should consult these for patching or workaround guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-22061
Vulnerability details
WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated remote exploitation of a SQL injection flaw in a public-facing web application (WinMatrix3 Web), matching T1190 for initial access and arbitrary database manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SQL injection flaw in WinMatrix3 Web package by identifying, reporting, and correcting vulnerabilities like CVE-2025-7918 through patching.
Enforces input validation at web application entry points to block arbitrary SQL command injection by unauthenticated attackers.
Scans for vulnerabilities such as this unauthenticated SQL injection in WinMatrix3 Web package to identify and prioritize remediation.