CVE-2025-6169

| EUVD-2025-18376 CRITICAL
2025-06-16 [email protected]
SQLi
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18376
CVE Published
Jun 16, 2025 - 07:15 nvd
CRITICAL 9.8

DescriptionNVD

The WIMP website co-construction management platform from HAMASTAR Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

AnalysisAI

Critical unauthenticated SQL injection vulnerability in HAMASTAR Technology's WIMP website co-construction management platform that allows remote attackers to execute arbitrary SQL commands without authentication. Attackers can exploit this flaw to read, modify, or delete entire database contents, potentially compromising sensitive project management data, user credentials, and financial information. With a CVSS score of 9.8 and no authentication required, this vulnerability presents an immediate and severe threat to all deployed instances of the WIMP platform.

Technical ContextAI

This vulnerability is rooted in CWE-89 (SQL Injection), a class of attack where user-supplied input is improperly sanitized before being incorporated into SQL query strings. The WIMP platform (CPE context: HAMASTAR Technology's web-based construction management system) fails to implement parameterized queries or proper input validation on one or more endpoints, allowing attackers to inject malicious SQL syntax directly into database queries over the network (AV:N). The vulnerability likely exists in request parameters used for filtering, searching, or data retrieval operations common to project management platforms. The lack of authentication (PR:N) indicates the injection point is accessible to unauthenticated users, suggesting it exists in login pages, public API endpoints, or improperly access-controlled functions.

RemediationAI

Immediate Actions: (1) Contact HAMASTAR Technology for emergency security patch availability and download the latest patched version; (2) Apply patches immediately to all WIMP deployments as this is unauthenticated and remotely exploitable; (3) If patches are unavailable, implement emergency network segmentation—restrict database access to trusted networks only and disable public-facing endpoints if operationally feasible. Short-term Mitigations: (1) Deploy Web Application Firewall (WAF) rules to detect and block common SQL injection patterns (e.g., UNION, SELECT, DROP, --) on identified vulnerable endpoints; (2) Enable database query logging and implement real-time alerting for suspicious SQL commands; (3) Review database access logs for signs of exploitation; (4) Implement authentication controls on previously unauthenticated endpoints if functionality permits. Long-term: (1) Mandate parameterized queries/prepared statements for all database interactions in the codebase; (2) Conduct security code review of all user-input handling; (3) Implement input validation whitelisting; (4) Deploy Web Application Firewalls persistently. Vendor Advisory: Refer to HAMASTAR Technology's official security bulletin for precise patch versions and download links (vendor contact details should be sought via the CVE official record or vendor website).

Share

CVE-2025-6169 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy