CVE-2019-25506

HIGH

FreeSMS < 2.1.2 - Unauthenticated SQL Injection via Password Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25506. PoCs published by Yilmaz Degirmenci.

AI-analyzed exploit summary This exploit demonstrates an authentication bypass via boolean-based blind SQL injection in FreeSMS 2.1.2. It bypasses login by injecting a crafted payload into the 'password' parameter and then changes the admin password.

Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

Exploits (1)

exploitdb WORKING POC
by Yilmaz Degirmenci · pythonwebappsphp
https://www.exploit-db.com/exploits/46658

This exploit demonstrates an authentication bypass via boolean-based blind SQL injection in FreeSMS 2.1.2. It bypasses login by injecting a crafted payload into the 'password' parameter and then changes the admin password.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: FreeSMS v2.1.2
No auth needed
Prerequisites: known username · network access to target
devstral-2 · analyzed Mar 05, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46658

Scores

CVSS v3 8.2
EPSS 0.0045
EPSS Percentile 36.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
Freesms/FreeSMS 2.1.2
freesms_project/freesms < 2.1.2
Published Mar 04, 2026
Tracked Since Mar 05, 2026