Is there a public PoC exploit available for CVE-2025-6471?

Yes, a public proof-of-concept exploit is available for CVE-2025-6471. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6471?

Within 24 hours: Isolate affected systems from production networks and disable public access to the /administrator endpoint. Within 7 days: Deploy Web Application Firewall (WAF) rules to block SQL injection payloads in the aduser parameter and implement input validation. Within 30 days: Upgrade to a patched version if available, or begin evaluating replacement solutions; conduct a full database audit for unauthorized access.

CVE-2025-6471

Q: What is the CVSS score of CVE-2025-6471?

CVE-2025-6471 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18841 MEDIUM

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-06-22 cna@vuldb.com

SQLi

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

HIGH MEDIUM

CVSS changed

Apr 29, 2026 - 01:11 NVD

7.3 (HIGH) 5.5 (MEDIUM)

EUVD ID Assigned

Mar 15, 2026 - 21:55 euvd

EUVD-2025-18841

Analysis Generated

Mar 15, 2026 - 21:55 vuln.today

PoC Detected

Jun 27, 2025 - 16:56 vuln.today

Public exploit code

CVE Published

Jun 22, 2025 - 10:15 nvd

HIGH 7.3

DescriptionCVE.org

A vulnerability classified as critical was found in code-projects Online Bidding System 1.0. Affected by this vulnerability is an unknown functionality of the file /administrator. The manipulation of the argument aduser leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

AnalysisAI

CVE-2025-6471 is a critical SQL injection vulnerability in code-projects Online Bidding System version 1.0 affecting the /administrator endpoint, where the 'aduser' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. Public exploit code is available and the vulnerability is actively exploitable with no authentication required.

Technical ContextAI

The vulnerability is a classic SQL injection flaw (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) in the /administrator file of the Online Bidding System. The 'aduser' parameter is concatenated directly into SQL queries without parameterized statements or input validation. This allows attackers to inject malicious SQL syntax to bypass authentication, extract sensitive data from backend databases, or manipulate database records. The affected software is a web-based bidding platform built on unknown technology stack; the lack of input sanitization in an administrative endpoint suggests potentially legacy or poorly secured code architecture.

RemediationAI

Immediate actions: (1) Implement parameterized queries (prepared statements) for all database interactions in the /administrator endpoint; (2) Apply strict input validation and whitelisting for the 'aduser' parameter (alphanumeric only, length limits); (3) Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the /administrator path; (4) Apply principle of least privilege to database user accounts; (5) Contact code-projects vendor immediately for security patch or version upgrade; (6) If patch unavailable, implement network segmentation to restrict /administrator access to trusted IP ranges only; (7) Monitor database logs for SQL injection attempts and unauthorized queries; (8) Conduct full code audit of input handling across the application. Vendor patch status: Unknown—verify with code-projects for CVE-2025-6471 patch availability and release timeline.

CVE-2025-6471 vulnerability details – vuln.today

Back