CVE-2025-9645: Apartment Management System SQLi Vulnerability

CVE-2025-9645 Overview

CVE-2025-9645 is a SQL injection vulnerability in itsourcecode Apartment Management System 1.0. The flaw resides in the /t_dashboard/r_all_info.php script, where the mid parameter is passed to a database query without proper sanitization. Remote attackers can manipulate this parameter to inject arbitrary SQL statements. The vulnerability is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). Public disclosure includes details on a GitHub issue tracker, increasing the likelihood of opportunistic exploitation against exposed instances.

Critical Impact
Remote, unauthenticated attackers can inject SQL through the mid parameter to read, modify, or exfiltrate tenant data stored by the Apartment Management System.

Affected Products

itsourcecode Apartment Management System 1.0
Vendor: Admerc
Component: /t_dashboard/r_all_info.php (mid parameter)

Discovery Timeline

2025-08-29 - CVE-2025-9645 published to NVD
2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-9645

Vulnerability Analysis

The vulnerability exists in the /t_dashboard/r_all_info.php endpoint of itsourcecode Apartment Management System 1.0. The mid request parameter is concatenated directly into a backend SQL query without parameterization or input validation. An attacker who appends SQL syntax to the mid value can break out of the original query context and execute attacker-controlled statements.

Because the endpoint is reachable over the network and requires no authentication or user interaction, exploitation is straightforward using common web tooling. The classification [CWE-74] reflects improper neutralization of special elements passed to a downstream interpreter, in this case the SQL database engine.

Root Cause

The root cause is unsanitized concatenation of user-supplied input into dynamic SQL. The application does not use prepared statements, parameterized queries, or strict input type validation for the mid value. As a result, any single quote, comment marker, or SQL keyword in the request is interpreted by the database.

Attack Vector

The attack vector is the network. An attacker sends a crafted HTTP request to /t_dashboard/r_all_info.php with a malicious mid parameter value. Typical exploitation involves UNION-based extraction, boolean-based blind injection, or time-based blind injection to enumerate database schema and dump records such as tenant identifiers, billing data, and administrative credentials. Depending on database privileges, an attacker may also achieve file read or write primitives on the underlying host.

No verified exploit code is reproduced here. Refer to the GitHub Issue Report and VulDB #321852 for the published technical details.

Detection Methods for CVE-2025-9645

Indicators of Compromise

HTTP requests to /t_dashboard/r_all_info.php containing SQL metacharacters in the mid parameter, such as single quotes, UNION SELECT, SLEEP(, or inline comment markers -- and /*.
Web server access logs showing repeated requests to the same endpoint with varying mid payloads from a single source address.
Unexpected outbound database errors or query timing anomalies correlated with requests to the vulnerable script.

Detection Strategies

Inspect web server and application logs for GET or POST requests targeting r_all_info.php with non-numeric or oversized mid values.
Deploy a web application firewall rule that flags SQL injection signatures against the affected URI pattern.
Enable database query auditing to capture queries that contain OR 1=1, stacked statements, or schema enumeration against information_schema.

Monitoring Recommendations

Forward web server, PHP error, and MySQL or MariaDB audit logs to a centralized analytics platform for correlation.
Alert on HTTP 500 responses from the affected endpoint, which often indicate failed injection attempts.
Track outbound data volumes from the database tier to identify bulk extraction attempts.

How to Mitigate CVE-2025-9645

Immediate Actions Required

Restrict network exposure of the Apartment Management System to trusted networks or place it behind an authenticated reverse proxy.
Deploy a web application firewall with SQL injection rules covering the /t_dashboard/r_all_info.php path and the mid parameter.
Audit database accounts used by the application and remove unnecessary privileges such as FILE, SUPER, or write access to administrative tables.
Review historical web and database logs for prior exploitation attempts against the affected endpoint.

Patch Information

At the time of publication, no official vendor patch has been listed in the references for itsourcecode Apartment Management System 1.0. Operators should monitor the IT Source Code Resource and the VulDB CTI ID #321852 entry for vendor updates. Until a fix is published, source-code remediation should replace string-concatenated SQL with parameterized queries using PDO or mysqli prepared statements, and enforce strict integer validation on the mid parameter.

Workarounds

Apply a server-side input filter that rejects any mid value that is not a positive integer before the request reaches PHP application code.
Use mod_rewrite or equivalent rules to block requests where mid contains characters outside the [0-9] range.
Temporarily disable the /t_dashboard/r_all_info.php endpoint if it is not required for business operations.

bash

# Example WAF/ModSecurity rule to block non-numeric mid values
SecRule REQUEST_URI "@contains /t_dashboard/r_all_info.php" \
    "chain,phase:2,deny,status:403,id:1009645,msg:'CVE-2025-9645 SQLi attempt'"
    SecRule ARGS:mid "!@rx ^[0-9]+$" "t:none"