← back
CVE-2025-25181

CVE-2025-25181

CVSS 5.8 MEDIUMEPSS 50.4%● KEVCWE-89
Vexday Risk Score
55Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 5.8EPSS 50.4%KEV simPoC Nuclei Metasploit Patch
Lifecycle
03 Feb 2025Published on NVD
10 Mar 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A flaw in VeraCore's timeoutWarning.asp page lets attackers insert malicious SQL commands through the PmSess1 parameter, potentially accessing or modifying sensitive database information.

Technical detail

SQL injection vulnerability in timeoutWarning.asp parameter PmSess1 allows unauthenticated remote attackers to execute arbitrary SQL queries against the backend database. The vulnerability stems from insufficient input validation on user-supplied parameters, enabling data exfiltration, modification, or deletion depending on database permissions.

Summary generated and translated by AI from the official description.
A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected products
Advantive · VeraCore

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://advantive.my.site.com/support/s/knowledgehttps://intezer.com/blog/research/xe-group-exploiting-zero-days/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25181https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/