cbcvebase.
CVE-2025-12463
published 2025-11-03

CVE-2025-12463: An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi`…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.3th percentile
An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19.

Affected

1 ranges
VendorProductVersion rangeFixed in
guetebruckg-cam

Detection & IOCsextracted from sources · hover to see the quote

path/uapi-cgi/viewer/Param.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/uapi-cgi/viewer/param.cgi"; fast_pattern; http.request_body; content:"group|3d|"; pcre:"/^.*?CDATA.*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:1|%31).*?(?:(?:\x3d|%3[dD]).*?(?:1|%31))|(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/Ri"; reference:url,blog.blacklanternsecurity.com/p/cve-2025-12463-98-unauthenticated; reference:cve,2025-12463; classtype:attempted-admin; sid:2065636; rev:1; metadata:affected_product Guetebruck, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_03, cve CVE_2025_12463, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to the exact URI path /uapi-cgi/viewer/param.cgi (case-insensitive); URI length is exactly 26 bytes — use bsize:26 for precise matching.
  • SQL injection payload is delivered in the POST request body via the 'group' parameter (URL-encoded as 'group='); look for 'group|3d|' (i.e., 'group=') in the body.
  • Payload patterns to detect in the body include classic SQLi keywords: UNION SELECT, SLEEP, CONCAT, EXTRACTVALUE, NULL chaining, and comment sequences (/* */), as well as CDATA wrapping — all matched by the PCRE in the Snort rule.
  • Exploitation requires no authentication; any unauthenticated POST to the endpoint should be treated as suspicious and investigated.
  • Traffic is expected in plaintext (tls_state: plaintext); deploy detection at the network perimeter and internally to catch lateral exploitation.
  • ·Vulnerability is confirmed only on the EFD-2130 model running firmware 1.12.0.19; applicability to other G-Cam E-Series models or firmware versions is unconfirmed.
  • ·The Snort rule (sid:2065636) targets plaintext HTTP only; if the device is placed behind an SSL-terminating proxy or HTTPS is enabled, the rule will not fire without TLS inspection.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.