CVE-2025-2132 – This critical SQL injection vulnerability in ft... (How to Fix)

Q: What is the severity of CVE-2025-2132?

CVE-2025-2132 has a CVSS score of 4.7 (MEDIUM). This critical SQL injection vulnerability in ftcms 2.1 allows remote attackers to execute arbitrary SQL commands through the name parameter in the search component. Attackers can potentially access, modify, or delete database content. All systems running ftcms 2.1 with the vulnerable admin interface exposed are affected.

📋 TL;DR

This critical SQL injection vulnerability in ftcms 2.1 allows remote attackers to execute arbitrary SQL commands through the name parameter in the search component. Attackers can potentially access, modify, or delete database content. All systems running ftcms 2.1 with the vulnerable admin interface exposed are affected.

💻 Affected Systems

Products:

ftcms

Versions: 2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin interface access; default installations are vulnerable if admin panel is accessible.

📦 What is this software?

Ftcms by Ftcms

View all CVEs affecting Ftcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin panel access; SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative CMS or implementing workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the name parameter before processing

Modify /admin/index.php/web/ajax_all_lists to validate name parameter using regex or whitelist

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule: deny requests containing SQL keywords in name parameter

🧯 If You Can't Patch

Restrict access to admin interface using IP whitelisting or VPN
Implement database user with minimal privileges for the application

🔍 How to Verify

Check if Vulnerable:

Test the /admin/index.php/web/ajax_all_lists endpoint with SQL injection payloads in name parameter

Check Version:

Check ftcms version in configuration files or admin panel

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and return appropriate error messages

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel
Requests with SQL keywords in name parameter

Network Indicators:

Unusual outbound database connections
Traffic patterns to admin interface from unexpected sources

SIEM Query:

source="web_logs" AND (uri="/admin/index.php/web/ajax_all_lists" AND (param="name" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "OR"))

📊 Metadata

CVE ID: CVE-2025-2132

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.13% exploit probability (32th percentile)

Published: March 9, 2025

Last Updated: March 11, 2025

🔗 References

https://github.com/ahieafe/zpp/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.299052 Permissions Required,VDB Entry
https://vuldb.com/?id.299052 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.511614 VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2132, you might also want to check these: