Skip to main content

Dm Corporative Cms CVE-2025-40657

| EUVDEUVD-2025-17652 CRITICAL
SQL Injection (CWE-89)
2025-06-10 cve-coordination@incibe.es
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:54 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2025.01
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17652
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 10:15 nvd
CRITICAL 9.8

DescriptionCVE.org

A SQL injection vulnerability has been found in DM Corporative CMS. This vulnerability allows an attacker to retrieve, create, update and delete databases through the codform parameter in /modules/forms/collectform.asp.

AnalysisAI

Critical unauthenticated SQL injection vulnerability in DM Corporative CMS affecting the /modules/forms/collectform.asp endpoint via the 'codform' parameter, allowing remote attackers to execute arbitrary SQL commands without authentication. This vulnerability enables complete database compromise including data exfiltration, modification, and deletion with a CVSS score of 9.8. The exploitation likelihood depends on patch availability and active threat actor interest, though the network-accessible nature and lack of authentication requirements make this a severe priority for affected organizations.

Technical ContextAI

This vulnerability exists in DM Corporative CMS, a content management system written in Active Server Pages (ASP), specifically within the forms collection module. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which occurs when user-supplied input from the 'codform' parameter is directly concatenated into SQL queries without proper parameterized query preparation or input sanitization. The affected endpoint /modules/forms/collectform.asp processes form submissions and appears to accept a 'codform' identifier that is used to construct backend database queries. By injecting SQL metacharacters (such as single quotes, UNION clauses, or comment sequences) into the codform parameter, an attacker can modify the query logic to extract sensitive data, insert malicious records, update existing data, or delete database contents entirely. The ASP/classic ASP technology stack is legacy but still deployed in enterprise environments, making this a relevant threat to organizations with legacy web infrastructure.

RemediationAI

Immediate remediation steps: (1) Contact DM (vendor) for urgent security patch availability and patch timeline; (2) If patches are available, prioritize deployment to production environments within 24 hours, testing in non-production environments first; (3) Implement temporary mitigations if patches are unavailable: disable the /modules/forms/collectform.asp endpoint via web server configuration (IIS URL Rewrite rules or application firewall rules), restrict network access to this endpoint via firewall rules limiting access to trusted internal networks only, implement web application firewall (WAF) rules to detect and block SQL injection patterns in the 'codform' parameter (signature-based detection for SQL metacharacters); (4) Enable comprehensive logging and monitoring of all requests to /modules/forms/collectform.asp and review logs for evidence of exploitation attempts; (5) Conduct database access logging and monitoring to detect suspicious SQL activity; (6) Perform security code review of the collectform.asp source code to identify similar SQL injection vulnerabilities in other parameters or endpoints; (7) After patching, validate remediation by performing SQL injection testing against the endpoint.

Share

CVE-2025-40657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy