CVE-2025-25992 in wmsinfo

Summary

by MITRE • 02/14/2025

SQL Injection vulnerability in FeMiner wms 1.0 allows a remote attacker to obtain sensitive information via the inquire_inout_item.php component.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/30/2025

The SQL injection vulnerability identified as CVE-2025-25992 affects FeMiner wms version 1.0 and represents a critical security flaw that enables remote attackers to extract sensitive data from the underlying database system. This vulnerability specifically resides within the inquire_inout_item.php component, which processes user input without proper sanitization or validation mechanisms. The flaw allows malicious actors to inject arbitrary SQL commands through input parameters, potentially leading to unauthorized access to confidential information stored within the application's database. Such vulnerabilities fall under CWE-89 which specifically addresses SQL injection flaws where untrusted data is incorporated into SQL queries without proper escaping or parameterization.

The technical implementation of this vulnerability occurs when the application fails to properly validate or escape user-supplied input before incorporating it into database queries. Attackers can exploit this weakness by crafting malicious input strings that manipulate the SQL query execution flow, potentially bypassing authentication mechanisms, extracting sensitive data, or even modifying database contents. The inquire_inout_item.php component likely accepts parameters related to inventory inquiries or item tracking, making it a prime target for attackers seeking to access warehouse management data. This type of vulnerability aligns with ATT&CK technique T1071.005 which covers application layer protocol manipulation and represents a common vector for data exfiltration and privilege escalation attacks.

The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to gain deeper insights into the organization's warehouse management systems, potentially exposing inventory levels, supplier information, customer data, and operational procedures. Remote exploitation means that attackers do not require physical access to the network or system, making the attack surface significantly larger and the risk more pronounced. Organizations using FeMiner wms 1.0 are particularly vulnerable as this represents a known weakness in the application's input handling mechanisms that could be leveraged for extended reconnaissance or more sophisticated attacks. The vulnerability's classification as remote and the potential for data exposure places it within the high-risk category of security flaws that require immediate attention and remediation.

Mitigation strategies for CVE-2025-25992 should focus on implementing proper input validation and parameterized queries throughout the application codebase, particularly within the inquire_inout_item.php component. Organizations should immediately update to the latest version of FeMiner wms if available, or implement proper input sanitization techniques to prevent SQL injection attacks. Database access controls should be reviewed and strengthened to limit the potential impact of successful exploitation attempts. Security teams should also implement comprehensive monitoring and logging of database activities to detect potential exploitation attempts. Additionally, regular security assessments and code reviews should be conducted to identify similar vulnerabilities across the entire application stack, with particular attention to areas handling user input and database interactions. The implementation of web application firewalls and input validation controls can provide additional layers of defense against such attacks, while adherence to secure coding practices and principles outlined in OWASP Top Ten should be maintained throughout the development lifecycle.

Responsible

MITRE

Reservation

02/07/2025

Disclosure

02/14/2025

Moderation

accepted

CPE

ready

EPSS

0.00251

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!