Cyber Resilience

CVE-2025-7918

Critical

Published: 21 July 2025

Published
21 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 64.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7918 is a critical-severity SQL Injection (CWE-89) vulnerability in Org (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-7918 is a SQL injection vulnerability (CWE-89) affecting the WinMatrix3 Web package developed by Simopro Technology. Published on 2025-07-21T06:15:29.160, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its potential for severe impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges or user interaction required. Exploitation allows injection of arbitrary SQL commands, enabling attackers to read, modify, and delete database contents, compromising confidentiality, integrity, and availability.

Mitigation details are available in advisories from TWCERT/CC, including https://www.twcert.org.tw/en/cp-139-10264-6c4b7-2.html and https://www.twcert.org.tw/tw/cp-132-10259-b4b38-1.html. Security practitioners should consult these for patching or workaround guidance.

EU & UK References

Vulnerability details

WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated remote exploitation of a SQL injection flaw in a public-facing web application (WinMatrix3 Web), matching T1190 for initial access and arbitrary database manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

Org
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the SQL injection flaw in WinMatrix3 Web package by identifying, reporting, and correcting vulnerabilities like CVE-2025-7918 through patching.

prevent

Enforces input validation at web application entry points to block arbitrary SQL command injection by unauthenticated attackers.

detect

Scans for vulnerabilities such as this unauthenticated SQL injection in WinMatrix3 Web package to identify and prioritize remediation.

References