Is there a public PoC exploit available for CVE-2025-14899?

Yes, a public proof-of-concept exploit is available for CVE-2025-14899. Prioritise patching immediately. EPSS: 0.0%.

CodeAstro Real Estate Management System CVE-2025-14899

Q: What is the CVSS score of CVE-2025-14899?

CVE-2025-14899 has a CVSS 4.0 base score of 2.0 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-12-19 cna@vuldb.com

PHP SQLi Real Estate Management System

2.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 01:38 vuln.today

DescriptionNVD

A weakness has been identified in CodeAstro Real Estate Management System 1.0. This impacts an unknown function of the file /admin/stateadd.php of the component Administrator Endpoint. This manipulation causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

SQL injection in CodeAstro Real Estate Management System 1.0 allows high-privilege administrators to inject malicious SQL via the /admin/stateadd.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability requires administrative privileges to exploit and has a low CVSS score (2.0) due to restricted scope and limited impact, but publicly available exploit code exists. Real-world risk is minimal given the high privilege barrier (PR:H), though organizations running this system should prioritize patching to prevent insider threats.

Technical ContextAI

The vulnerability exists in the /admin/stateadd.php component, which is part of the Administrator Endpoint functionality in CodeAstro's PHP-based real estate management platform. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), indicating that user-supplied input is not properly sanitized before being passed to SQL queries. The attack vector is network-accessible (AV:N), meaning an attacker with admin credentials can remotely submit malicious SQL payloads through the HTTP interface. The affected product is identified by CPE a:codeastro:real_estate_management_system:1.0, limiting exposure to version 1.0 specifically.

RemediationAI

Upgrade CodeAstro Real Estate Management System to a patched version provided by the vendor; consult the official CodeAstro website (https://codeastro.com/) for available updates, as no specific patched version is documented in the CVE references. If no patch is available from the vendor, implement compensating controls: enforce parameterized queries or prepared statements in /admin/stateadd.php by code review or Web Application Firewall (WAF) rules to block SQL metacharacters in the affected endpoint; restrict administrative console access to a whitelist of internal IP addresses only, reducing the network attack surface; implement database-level least privilege by creating a dedicated admin database account with INSERT/UPDATE permissions only on the intended 'state' table, preventing attackers from dropping tables or accessing unrelated data. Each control reduces exploitability but does not eliminate the underlying flaw: IP whitelisting increases operational overhead and may hinder legitimate remote admin access; WAF rules may produce false positives; database privilege separation does not prevent data theft within authorized tables.

CVE-2025-14899 vulnerability details – vuln.today

Back