CVE Alert: CVE-2025-9509 - itsourcecode - Apartment Management System

CVE-2025-9509

HIGHNo exploitation known

A security flaw has been discovered in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /report/fair_info_all.php. Performing manipulation of the argument fid results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited.

CVSS v3.1 (7.3)

Vendor

itsourcecode

Product

Apartment Management System

Versions

1.0

CWE

CWE-89, SQL Injection

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Published

2025-08-27T04:32:10.192Z

Updated

2025-08-27T04:32:10.192Z

References

https://vuldb.com/?id.321502
https://vuldb.com/?ctiid.321502
https://vuldb.com/?submit.635389
https://github.com/zzb1388/cve/issues/45
https://itsourcecode.com/

AI Summary Analysis

Risk verdict

Remote unauthenticated SQL injection via the fid parameter in /report/fair_info_all.php, with a public exploit available, giving attackers a feasible path to data exposure.

Why this matters

The vulnerability permits remote access without credentials, potentially leaking or manipulating confidential data and impacting service availability. Public exploitation increases the likelihood of automated scanning and mass attempts, elevating risk for organisations hosting the itsourcecode Apartment Management System.

Most likely attack path

An attacker sends crafted HTTP requests to the vulnerable endpoint, exploiting the fid parameter to alter database queries. No user interaction or authentication is required, and the attack relies on weak input handling rather than complex chaining, offering straightforward data access under the affected scope.

Who is most exposed

Web deployments of the Apartment Management System exposed to the Internet, common in small-to-medium organisations or hosting providers, are at greatest risk, especially where input sanitisation and DB access controls are weak.

Detection ideas

Monitor for unusual requests to /report/fair_info_all.php containing suspicious fid payloads.
Look for SQL error patterns or information_schema queries in application logs.
Spike in DB error logs or long-running queries tied to this endpoint.
WAF/IDS alerts on typical SQLi signatures (UNION SELECT, tautologies).
Anomalous access from unauthorised IPs attempting the report endpoint.

Mitigation and prioritisation

Patch or upgrade to the fixed version provided by the vendor; verify patch application in staging before production.
Implement parameterised queries/prepared statements and rigorous input validation for fid.
Enforce least privilege for the application’s DB account; disable unnecessary DB operations from the app.
Deploy WAF/IPS rules targeting SQL injection payloads and monitor for repeated attempts.
Change-management: schedule and test remediation; re-scan post-deployment to confirm absence of the vulnerability.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: apartment-management-system, CVE, cve-2025-9509, itsourcecode, OSINT, threatintel