Exploitation Summary
CVE-2025-25181 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 10, 2025.
Description
A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.
References (4)
Core 4
Core References
Product, Release Notes
https://advantive.my.site.com/support/s/knowledge
Exploit, Technical Description, Third Party Advisory
https://intezer.com/blog/research/xe-group-exploiting-zero-days/
Exploit, Technical Description, Third Party Advisory
https://www.solissecurity.com/en-us/insights/xe-group-from-credit-card-skimming-to-exploiting-zero-days/
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25181
Scores
CVSS v3
5.8
EPSS
0.7205
EPSS Percentile
98.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
yes
Technical Impact
total
Details
CISA KEV
2025-03-10
VulnCheck KEV
2025-02-03
ENISA EUVD
EUVD-2025-4072
CWE
CWE-89
Status
published
Products (1)
advantive/veracore
< 2025.1.1.3
Published
Feb 03, 2025
KEV Added
Mar 10, 2025
Tracked Since
Feb 18, 2026