CVE-2025-9601
BaseFortify
Publication date: 2025-08-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| admerc | apartment_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9601 is a critical SQL injection vulnerability in itsourcecode Apartment Management System version 1.0, specifically in the file /setting/employee_salary_setup.php. It occurs due to improper validation of the user-supplied input parameter 'ddlEmpName', allowing attackers to inject malicious SQL queries. This enables unauthorized access to the database, potentially leading to data modification, deletion, or exposure of sensitive information. The vulnerability can be exploited remotely without authentication, and a public exploit exists. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary SQL commands on the affected system without authentication. As a result, attackers may gain unauthorized access to sensitive data, modify or delete data, and compromise the confidentiality, integrity, and availability of the system. This can lead to data breaches, loss of data integrity, and disruption of services. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable file `/setting/employee_salary_setup.php` in the itsourcecode Apartment Management System 1.0. Additionally, Google dorking can be used with the query `inurl:setting/employee_salary_setup.php` to identify potentially vulnerable targets. Since the vulnerability involves SQL injection via the `ddlEmpName` parameter, testing for SQL injection using tools like sqlmap or manual injection attempts on this parameter can help detect exploitation. For example, you can use curl or wget to send crafted requests to the vulnerable URL and observe responses for SQL errors or unexpected behavior. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include replacing the affected component with an alternative product, as no known mitigations or countermeasures have been published. Additionally, restricting access to the vulnerable file `/setting/employee_salary_setup.php` by limiting network exposure or applying web application firewall (WAF) rules to block malicious input targeting the `ddlEmpName` parameter can help reduce risk. Applying input validation and sanitization on the parameter to prevent SQL injection is recommended if you have the capability to patch the code. Monitoring for exploit attempts and applying network-level protections are also advisable until a permanent fix or update is available. [2, 1]