Ncvav Virtual PBX CVE-2025-6918
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ncvav Virtual PBX Software allows SQL Injection.
This issue affects Virtual PBX Software: before 09.07.2025.
AnalysisAI
SQL injection in Ncvav Virtual PBX Software versions prior to 09.07.2025 allows remote unauthenticated attackers to manipulate backend database queries, leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Turkey's national CSIRT (USOM) and carries a critical CVSS 9.8 score, though no public exploit identified at time of analysis and no EPSS data is currently available.
Technical ContextAI
The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning user-controlled input is concatenated or interpolated into SQL statements without proper parameterization or sanitization. Ncvav Virtual PBX Software is a commercial private branch exchange platform used for routing voice communications within organizations, and as a web-managed telephony product it typically exposes administrative and user-facing endpoints that interact with a backing relational database storing call records, extensions, credentials, and configuration. Because no CPE strings were provided in the source intelligence, the specific affected component (e.g., admin portal, REST API, or CDR query interface) is not enumerated, but the CWE root cause indicates that at least one database-backed input handler fails to use prepared statements.
Affected ProductsAI
Ncvav Virtual PBX Software in all versions released before 09.07.2025 (DD.MM.YYYY format, i.e., 9 July 2025) is affected. No CPE strings, build identifiers, or component-level breakdown were published with the advisory. The authoritative bulletins are published by Turkey's national cyber response center at https://www.usom.gov.tr/bildirim/tr-25-0180 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0180; no direct vendor advisory URL was supplied in the intelligence feed.
RemediationAI
Patch available per vendor advisory - upgrade Ncvav Virtual PBX Software to a build released on or after 09.07.2025, as indicated by the USOM bulletin TR-25-0180 (https://www.usom.gov.tr/bildirim/tr-25-0180 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0180); contact Ncvav directly for the exact fixed build identifier since no specific version string is published. Until the upgrade is applied, restrict the PBX management and API interfaces to a dedicated administrative VLAN or VPN so they are not reachable from the public internet or untrusted user segments (trade-off: remote administration over the open network will be blocked). Place a web application firewall in front of any HTTP/HTTPS endpoints with SQL injection signatures enabled in blocking mode (trade-off: legitimate queries containing reserved characters such as apostrophes in caller names may be rejected). Increase database and application logging to capture query patterns and authentication attempts so any exploitation attempt can be detected and triaged.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today