CVE-2025-1185 in PiHomeinfo

Summary

by MITRE • 02/12/2025

A vulnerability was found in pihome-shc PiHome 2.0. It has been classified as critical. This affects an unknown part of the file /ajax.php?Ajax=GetModal_Sensor_Graph. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/17/2025

The vulnerability identified as CVE-2025-1185 represents a critical sql injection flaw in the pihome-shc PiHome 2.0 system, specifically within the /ajax.php?Ajax=GetModal_Sensor_Graph endpoint. This critical classification stems from the severity of potential impacts and the ease with which remote exploitation can occur. The vulnerability resides in the handling of user-supplied input within the ajax.php script, where the GetModal_Sensor_Graph parameter fails to properly sanitize or validate incoming data before incorporating it into sql queries. This fundamental flaw in input validation creates an exploitable condition that allows attackers to manipulate the underlying database queries through crafted malicious input.

The technical execution of this vulnerability follows standard sql injection attack patterns where an attacker can inject malicious sql code through the vulnerable parameter. The attack vector is remote, meaning no local access or authentication is required to exploit the flaw, making it particularly dangerous for systems exposed to untrusted networks. The disclosed exploit demonstrates that attackers can leverage this vulnerability to execute arbitrary sql commands against the database, potentially leading to complete database compromise, data exfiltration, or unauthorized access to sensitive information stored within the pihome system. This vulnerability directly maps to CWE-89 sql injection, which is categorized under the CWE top 25 most dangerous software weaknesses, and aligns with ATT&CK technique T1190 for exploitation of remote services.

The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to gain persistent access to the system infrastructure. Given that PiHome systems are commonly used for home automation and monitoring, compromised systems could allow attackers to manipulate environmental controls, access security data, or use the compromised system as a foothold for further network exploration. The remote exploitability means that attackers can target vulnerable systems from anywhere on the internet, potentially affecting numerous home automation installations. Organizations and individuals using PiHome 2.0 systems should immediately implement mitigation strategies including input validation, parameterized queries, and network segmentation to prevent unauthorized access. The public disclosure of the exploit increases the likelihood of widespread exploitation, making prompt remediation essential. Additionally, network monitoring should be enhanced to detect anomalous sql query patterns that may indicate exploitation attempts.

Responsible

VulDB

Disclosure

02/12/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00577

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!