Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the name and cod parameters in /antbuspre.asp.
AnalysisAI
A critical SQL injection vulnerability (CVE-2025-40654) exists in DM Corporative CMS affecting the /antbuspre.asp endpoint, where the 'name' and 'cod' parameters are not properly sanitized. This unauthenticated, network-accessible vulnerability allows remote attackers to execute arbitrary SQL commands, enabling complete database compromise including data exfiltration, modification, and destruction. With a CVSS 9.8 score and network-exploitable attack surface, this represents a critical production risk if DM Corporative CMS is internet-facing.
Technical ContextAI
The vulnerability is a classic SQL injection flaw (CWE-89: Improper Neutralization of Special Elements used in an SQL Command) in Active Server Pages (ASP) technology, specifically in the /antbuspre.asp endpoint of DM Corporative CMS. The root cause is insufficient input validation and parameterization of the 'name' and 'cod' parameters before they are incorporated into SQL queries. Legacy ASP applications frequently suffer from this vulnerability class when string concatenation is used instead of parameterized queries or prepared statements. The affected technology stack likely involves Microsoft IIS hosting ASP pages with backend database connectivity (typically SQL Server, MySQL, or similar RDBMS). Without proper stored procedure usage or parameterized query frameworks, attacker-supplied SQL syntax in these parameters flows directly to the database engine for execution.
RemediationAI
Immediate remediation steps: (1) Apply patches—contact DM Corporative or monitor vendor security advisories for patched versions (patch version numbers not provided in current data; check vendor website/security bulletin); (2) Parameterized Queries—if patches are unavailable, implement parameterized queries or prepared statements in the /antbuspre.asp code to prevent SQL injection; (3) Input Validation—whitelist and validate 'name' and 'cod' parameters against expected formats, rejecting anything containing SQL metacharacters (quotes, semicolons, comments); (4) Network Segmentation—restrict network access to /antbuspre.asp to trusted IP ranges or authenticated users only; (5) WAF Rules—deploy Web Application Firewall rules to detect and block common SQL injection payloads (OWASP ModSecurity CRS rules for SQL injection detection); (6) Database Least Privilege—ensure the database user account used by the CMS has minimal required permissions (no DDL/DML on sensitive tables if possible); (7) Monitoring—implement SQL query logging and alert on suspicious patterns (UNION-based queries, time-delay payloads, etc.). Vendor advisory/patch links should be obtained directly from DM Corporative's security page.
More in Dm Corporative Cms
View allCritical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp
Critical SQL injection vulnerability in DM Corporative CMS that allows unauthenticated remote attackers to execute arbit
Critical SQL injection vulnerability in DM Corporative CMS affecting the /antcatalogue.asp endpoint's 'name' parameter,
CVE-2025-40662 is an absolute path disclosure vulnerability in DM Corporative CMS that exposes sensitive filesystem info
CVE-2025-40661 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40660 is a security vulnerability (CVSS 7.5) that allows an attacker. High severity vulnerability requiring pro
CVE-2025-40659 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
CVE-2025-40658 is an Insecure Direct Object Reference (IDOR) vulnerability in DM Corporative CMS that allows unauthentic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17655