Skip to main content

Dm Corporative Cms CVE-2025-40654

| EUVDEUVD-2025-17655 CRITICAL
SQL Injection (CWE-89)
2025-06-10 cve-coordination@incibe.es
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:55 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.01
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17655
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 10:15 nvd
CRITICAL 9.8

DescriptionCVE.org

A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the name and cod parameters in /antbuspre.asp.

AnalysisAI

A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoint, where the 'name' and 'cod' parameters are not properly sanitized. This unauthenticated, network-accessible vulnerability allows remote attackers to execute arbitrary SQL commands, enabling complete database compromise including data exfiltration, modification, and destruction. With a CVSS 9.8 score and network-exploitable attack surface, this represents a critical production risk if DM Corporative CMS is internet-facing.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) in Active Server Pages (ASP) technology, specifically in the /antbuspre.asp endpoint of DM Corporative CMS. The root cause is insufficient input validation and parameterization of the 'name' and 'cod' parameters before they are incorporated into SQL queries. Legacy ASP applications frequently suffer from this vulnerability class when string concatenation is used instead of parameterized queries or prepared statements. The affected technology stack likely involves Microsoft IIS hosting ASP pages with backend database connectivity (typically SQL Server, MySQL, or similar RDBMS). Without proper stored procedure usage or parameterized query frameworks, attacker-supplied SQL syntax in these parameters flows directly to the database engine for execution.

RemediationAI

Immediate remediation steps: (1) Apply patches—contact DM Corporative or monitor vendor security advisories for patched versions (patch version numbers not provided in current data; check vendor website/security bulletin); (2) Parameterized Queries—if patches are unavailable, implement parameterized queries or prepared statements in the /antbuspre.asp code to prevent SQL injection; (3) Input Validation—whitelist and validate 'name' and 'cod' parameters against expected formats, rejecting anything containing SQL metacharacters (quotes, semicolons, comments); (4) Network Segmentation—restrict network access to /antbuspre.asp to trusted IP ranges or authenticated users only; (5) WAF Rules—deploy Web Application Firewall rules to detect and block common SQL injection payloads (OWASP ModSecurity CRS rules for SQL injection detection); (6) Database Least Privilege—ensure the database user account used by the CMS has minimal required permissions (no DDL/DML on sensitive tables if possible); (7) Monitoring—implement SQL query logging and alert on suspicious patterns (UNION-based queries, time-delay payloads, etc.). Vendor advisory/patch links should be obtained directly from DM Corporative's security page.

Share

CVE-2025-40654 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy