cbcvebase.
CVE-2022-25125
published 2022-03-03

CVE-2022-25125: MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.17%
93.5th percentile
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.

Affected

1 ranges
VendorProductVersion rangeFixed in
mingsoftmcms

Detection & IOCsextracted from sources · hover to see the quote

url/mdiy/dict/listExcludeApp?query=1&dictType=1&orderBy=1/**/or/**/updatexml(1,concat(0x7e,md5('999999999'),0x7e),1)/**/or/**/1
path/mdiy/dict/listExcludeApp
otherhttp.favicon.hash:1464851260
othericon_hash="1464851260"
  • Exploit uses a GET request to /mdiy/dict/listExcludeApp with a SQL injection payload in the 'orderBy' parameter using updatexml() error-based injection with comment-based space substitution (/**/).
  • Successful exploitation is confirmed by the presence of the partial MD5 hash 'c8c605999f3d8352d7bb792cf3fdb25' (md5 of '999999999') in the HTTP response body, combined with a Content-Type of 'application/json' in the response header.
  • MCMS instances can be fingerprinted via favicon hash 1464851260 on Shodan or FOFA prior to exploitation.
  • The vulnerability is unauthenticated (PR:N) and exploitable over the network (AV:N) with no user interaction required, making it trivially exploitable at scale.
  • ·The SQL injection payload uses comment-based space substitution (/**/) to bypass potential WAF or input filters that block literal spaces in the 'orderBy' parameter.
  • ·The detection matcher uses only the first 31 characters of the MD5 hash of '999999999' (c8c605999f3d8352d7bb792cf3fdb25), not the full 32-character hash, which may affect detection precision.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.