CVE-2025-25181 : A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore throug

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.

Published 2025-02-03 00:00:00

Updated 2025-03-13 14:31:11

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2025-25181

Veracore » *
Versions before (<) 2025.1.1.3
cpe:2.3:advantive:veracore:*:*:*:*:*:*:*:*
Matching versions
Advantive » Veracore
Versions before (<) 2025.1.1.3
cpe:2.3:a:advantive:veracore:*:*:*:*:*:*:*:*
Matching versions

CVE-2025-25181 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Advantive VeraCore SQL Injection Vulnerability

CISA required action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA description:

Advantive VeraCore contains a SQL injection vulnerability in timeoutWarning.asp that allows a remote attacker to execute arbitrary SQL commands via the PmSess1 parameter.

Notes:

https://advantive.my.site.com/support/s/article/Veracore-Release-Notes-2025-1-1-3 ; https://nvd.nist.gov/vuln/detail/CVE-2025-25181

Added on 2025-03-10 Action due date 2025-03-31

Exploit prediction scoring system (EPSS) score for CVE-2025-25181

EPSS FAQ

20.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 95 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-25181

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	3.9	1.4	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-04
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None
5.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	N/A	N/A	MITRE	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None
5.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N	3.9	1.4	MITRE	2025-02-03
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: Low Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST	2025-03-13
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2025-25181

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- 8254265b-2729-46b6-b9e3-3dfca2d5bfca (Primary)
- cve@mitre.org (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2025-25181

https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/

Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://intezer.com/blog/research/xe-group-exploiting-zero-days/

XE Group: From Credit Card Skimming to Exploiting Zero-Days
Exploit;Technical Description;Third Party Advisory

CVEs referencing this url
https://advantive.my.site.com/support/s/knowledge

Knowledge
Product;Release Notes