CVE-2025-12463
published 2025-11-03CVE-2025-12463: An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi`…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.49%
38.3th percentile
An unauthenticated SQL Injection was discovered within the Geutebruck G-Cam E-Series Cameras through the `Group` parameter in the `/uapi-cgi/viewer/Param.cgi` script. This has been confirmed on the EFD-2130 camera running firmware version 1.12.0.19.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| guetebruck | g-cam | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/uapi-cgi/viewer/param.cgi"; fast_pattern; http.request_body; content:"group|3d|"; pcre:"/^.*?CDATA.*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:1|%31).*?(?:(?:\x3d|%3[dD]).*?(?:1|%31))|(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])){2,}|(?:\x2f|%2[fF])(?:\x2a|%2[aA]).+(?:\x2a|%2[aA]).+(?:\x2f|%2[fF])|CONCAT.+SELECT|EXTRACTVALUE|UNION.+ALL)/Ri"; reference:url,blog.blacklanternsecurity.com/p/cve-2025-12463-98-unauthenticated; reference:cve,2025-12463; classtype:attempted-admin; sid:2065636; rev:1; metadata:affected_product Guetebruck, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_11_03, cve CVE_2025_12463, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI path /uapi-cgi/viewer/param.cgi (case-insensitive); URI length is exactly 26 bytes — use bsize:26 for precise matching.
- →SQL injection payload is delivered in the POST request body via the 'group' parameter (URL-encoded as 'group='); look for 'group|3d|' (i.e., 'group=') in the body.
- →Payload patterns to detect in the body include classic SQLi keywords: UNION SELECT, SLEEP, CONCAT, EXTRACTVALUE, NULL chaining, and comment sequences (/* */), as well as CDATA wrapping — all matched by the PCRE in the Snort rule.
- →Exploitation requires no authentication; any unauthenticated POST to the endpoint should be treated as suspicious and investigated. ↗
- →Traffic is expected in plaintext (tls_state: plaintext); deploy detection at the network perimeter and internally to catch lateral exploitation.
- ·Vulnerability is confirmed only on the EFD-2130 model running firmware 1.12.0.19; applicability to other G-Cam E-Series models or firmware versions is unconfirmed. ↗
- ·The Snort rule (sid:2065636) targets plaintext HTTP only; if the device is placed behind an SSL-terminating proxy or HTTPS is enabled, the rule will not fire without TLS inspection.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)
suricata·2025-11-03·CVSS 9.8
CVE-2025-12463 [CRITICAL] ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)
ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:26; content:"/uapi-cgi/viewer/param.cgi"; fast_pattern; http.request_body; content:"group|3d|"; pcre:"/^.*?CDATA.*?(?:\x27|%27|-{2}|%2d%2d)?(?:(?:1|%31).*?(?:(?:\x3d|%3[dD]).*?(?:1|%31))|(?:S(?:HOW.+(?:C(?:UR(?:DAT|TIM)E|HARACTER.+SET)|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER|SLEEP|CONCAT|CASE))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|(?:NULL(?:\x2c|%2[cC])
No public exploits indexed.
No writeups or analysis indexed.
2025-11-03
Published