CVE-2025-14090: Amttgroup Hibos SQL Injection Vulnerability

CVE-2025-14090 Overview

CVE-2025-14090 is a SQL injection vulnerability in AMTT Hotel Broadband Operation System (HiBOS) 1.0. The flaw resides in the /manager/card/cardmake_down.php script, where the ID parameter is passed to a database query without proper sanitization. Remote attackers can manipulate the ID argument to inject arbitrary SQL statements. The exploit code has been publicly disclosed, increasing the risk of opportunistic abuse against exposed deployments. The vendor, amttgroup, was notified prior to public disclosure but did not respond. The weakness is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-74 (Improper Neutralization in Output).

Critical Impact
Authenticated remote attackers can inject SQL through the ID parameter of cardmake_down.php, enabling unauthorized read or modification of backend database records.

Affected Products

AMTT Hotel Broadband Operation System (HiBOS) 1.0
Vendor component: amttgroup:hibos
CPE: cpe:2.3:a:amttgroup:hibos:1.0:*:*:*:*:*:*:*

Discovery Timeline

2025-12-05 - CVE-2025-14090 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-14090

Vulnerability Analysis

The vulnerability exists in the cardmake_down.php script under the /manager/card/ directory of HiBOS 1.0. The script accepts an ID parameter from the HTTP request and concatenates it directly into an SQL statement executed against the application database. Because the input is not validated, escaped, or bound through a parameterized query, an attacker can break out of the intended query context and append arbitrary SQL clauses.

Exploitation requires network access to the management interface and a valid privileged session, as indicated by the high privilege requirement in the CVSS vector. Successful injection can disclose database contents such as guest records, card credentials, and operator accounts. Depending on database privileges, attackers may also modify or delete records and escalate access within the hotel broadband management environment.

Root Cause

The root cause is the absence of input validation and prepared statements when handling the ID GET parameter inside cardmake_down.php. User-supplied data flows directly into a dynamically constructed SQL query, satisfying the conditions defined in CWE-89.

Attack Vector

The attack is remote and conducted over HTTP against the management endpoint. An authenticated attacker submits a crafted value for the ID parameter, embedding SQL meta-characters such as ', UNION SELECT, or boolean payloads. The injected query is then executed by the backend database. Public proof-of-concept material referenced in the GitHub CVE Issue Discussion and VulDB #334480 describes the parameter and injection point in detail.

No verified exploit code is reproduced here. Refer to the linked external advisories for technical proof-of-concept details.

Detection Methods for CVE-2025-14090

Indicators of Compromise

HTTP requests to /manager/card/cardmake_down.php containing SQL meta-characters in the ID parameter, such as ', --, UNION, SLEEP(, or OR 1=1.
Web server access logs showing unusually long ID values or hex-encoded payloads.
Database error messages or 500-status responses correlated with requests to cardmake_down.php.
Unexpected outbound queries from the HiBOS database service or new administrative accounts.

Detection Strategies

Deploy web application firewall (WAF) rules that inspect query strings to /manager/card/cardmake_down.php for SQL injection signatures.
Enable verbose logging on the application and database tiers to capture parameterized query violations.
Correlate authenticated session activity with anomalous query patterns targeting the card management module.

Monitoring Recommendations

Monitor authentication logs for management accounts performing high volumes of requests to cardmake_down.php.
Alert on database errors referencing syntax failures originating from the HiBOS application user.
Track egress connections from the HiBOS host that deviate from normal operational baselines.

How to Mitigate CVE-2025-14090

Immediate Actions Required

Restrict network access to the /manager/ interface so it is reachable only from trusted administrative networks or via VPN.
Rotate credentials for all HiBOS management accounts, especially privileged operators capable of reaching cardmake_down.php.
Deploy WAF rules to block SQL injection payloads targeting the ID parameter until a vendor patch is released.

Patch Information

No official vendor patch has been published. The vendor did not respond to disclosure attempts according to the advisory. Operators should monitor VulDB CTI ID #334480 and the GitHub CVE Issue Discussion for updates and apply vendor fixes as soon as they become available.

Workarounds

Place the HiBOS management console behind a reverse proxy enforcing strict allow-lists on the ID parameter (numeric only).
Apply database-tier least privilege so the HiBOS application user cannot read or write outside its required tables.
Disable or remove the cardmake_down.php endpoint if the card export functionality is not in active use.

bash

# Example WAF rule (ModSecurity) to block SQLi attempts against the vulnerable endpoint
SecRule REQUEST_URI "@beginsWith /manager/card/cardmake_down.php" \
    "chain,deny,status:403,id:1014090,msg:'CVE-2025-14090 SQLi attempt'"
    SecRule ARGS:ID "@rx [^0-9]" "t:none"